Which hardware version ? If I remember correctly, it take few seconds, not few fraction of second, on SPA50x HW_VER 1.0.2 even with 1024 key and signature algorithm sha1WithRSAEncryption

May be it depends more on hardware revision than key size. Signature alghoritm may affect it as well. It seems that further investigation is required (as I don't wish the Cisco will document the feature properly).

According your other message, the SPA525G2 seems to be very different beast than SPA5xxG

About feature requests, how to make them ?

No idea. I don't know even how to report bugs. Of course, I'm NOT willing to pay for right to inform Cisco about the bug in it's product.

1024 is the only allowed size for "mini certificate" (used for voice encryption). There seems not to be 1024-only limit for HTTPS certificates as far as I know.

But the allowed keysize range is not documented by the Cisco. As well as acceptable hash alghoritms and other certificate-related options. In the fact, Cisco's documentation related is is very incomplete- almost non-existing. Even the list of CA considered trusted by default on particular device and firmware revision is not published.

On the one side, Cisco  (better to say Linksys or Sipura) has created valuable security mechanism, on the other side, lack of documentation devalue it badly.

Well, we need to live with it. I will create few certificates based on keys with different keysize and using different hash alghoritms, I will test them and I will report the result. Not today, but sometime in the unspecified future ...

Ok, I did some tests. Conclusion ? The delay caused by SSL hanshaking is about 2.5s for keys in the range 384-2048bits on SPA5xx and about 1.5-2.0s on SPA ATA platform. For more details see bellow.

Test conditions:

CA: rsa:2048 bit / SHA1

Certificate: rsa:see_table_for_size / SHA1

Time interval measured as seconds on:

• SPA504G: from local3.debug message "[create_tcp_netstrm1] connect SUCCEED"
• SPA112: from local3.debug message "[_fprv_download_file] get dn_schema ..."
• SPA525G2: from local3.debug message "FMM >>>> Requesting profile"

to next syslog/debug message. Note - just one attempt, no statistics method used.

Results:

Notes:

Also tried rsa:2048/MD5 on SPA504G|1.0.2|7.5.5 it take 2.56s, on SPA112|1.0.0|1.3.3 it take 2.27s, on SPA525G2|2.1.1|7.5.5 it take 0.79s.

No other digests alghoritms are suported (tried md4, mdc2, ripemd160, sha, sha2).

Unsupported message digest cause ssl cert err 7 (X509_V_ERR_CERT_SIGNATURE_FAILURE)

16kB key is supported on SPA5xx but not on SPA ATA. It return ssl cert err 20 (X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) here.

Note that some old firmwares doesn't support DH key over 1024b. Such firmware will fail to setup SSL/TLS connection with server using the longer key at all. Apache 2.4 is known to use larger DH key if private key used is larger than 1024b. PAP2T even with newest firmware and SPA50x with pre 7.5.2b firmware is known to be affected by issue.

I would like to test an 1.0.4 HW_VER SPA50x as well as an SPA51x but I have no one yet.

Dan, interesting results !

Any chance to perform these tests (or at least with rsa:4096) on a SPA525G2 ?

Does anybody have experience with XML applications over HTTPS on a SPA525G2 ?

Thank you !

Yes, I have one SPA525G2. But be patient, I'm out of my test lab for at least next week.

OK Dan, thank you very much !

Hi Dan,

Were you able to perform this test ?

Thank you very much !

Which test ? Results of SPA525G2 tests has been added to the table above long time ago.

Ah yes you're right, thank you very much !

I did not get notified because you only updated your message without posting a new one 

Results are really interesting, SPA525G2 is around 3 time faster.

We now have to validate if 0.8 second is something usable / production ready.

Thank you for your time Dan !

As you noted down, SPA51x could be interesting to test ; seems that the only difference is the 1Gbps ethernet connection, but perhaps they have a bigger CPU, which would lead into smaller SSL delay, perhaps even smaller than with the 525.

Any idea when you will have one of them available ? 

Thank you !

I spent my personal money to SPA112 and SPA232D+SPA302D within few past months and the budget dedicated to toys is exhausted. I'm not going to buy it by self now.

Unless someone (you ?) decide to be donor, there is no SPA51x known to be on the way. Sorry.

OK, I just ordered a SPA514G

I will be able to compare it with a SPA504G.

So, here are the results, for a full HTTPS (RSA 4096 bits) request.

Goal is simply to see whether the SPA51x series is faster or not.

SPA 504G hardware 1.0.0 : 3.8 seconds
SPA 514G hardware 1.0.0 : 4.2 seconds

Incredible, but SPA514G is a bit slower !

This kind of measurement is not so precise. I consider they are same.

And it's not so surprising as well - I assume that 51xG has 1G capable internal switch chip instead of 100MHz-only chip in 50xG. But no change elsewhere in architecture so same CPU mean same computing power ...

I have "disassemble a 50xG" on my TODO list, so I will have more informations then.