Hoi Hans,
On 15/05/14 15:36, j.witvl...@mindef.nl wrote:
Hi all,
The safest place to keep the private key, is on a smartcard protected
by a PIN.
Many people use this for client-side for openvpn (but also other
applications)
I was wondering if people have experience with storing the private-key
of the vpn-server on a crypto-device, like a token, smartcard or HSM.
Any performance issue's to be expected, or other reasons not to walk
this path?
I've always avoided putting the server private key on a crypto-device
out of fear of performance degradation; I guess it depends a bit on how
many clients connect, but for every client connection and for every
renegotiation the crypto device needs to perform work - and worse,
during that time the *entire* vpn is stalled.
If the number of concurrent clients is relatively low (less than 10) and
you've set renegotation to occur only once every 24 hours or so then you
should be OK, but otherwise I'd expect a serious performance hit if you
store the server key on a crypto device.
cheers,
JJK / Jan Just Keijser
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
