Le 26/04/2014 14:47, Remi Gacogne a écrit :
With haproxy 1.5-dev23 and no DH parameters in the cert file :
$ ab -n1000 -c100 -Z ECDHE-RSA-AES256-GCM-SHA384,2048,256
https://127.0.0.1/
Requests per second: 427.94 [#/sec] (mean)
Time per request: 233.679 [ms] (mean)
[...]
The same test with 1024 bits DH parameters in the cert file :
$ ab -n1000 -c100 -Z DHE-RSA-AES256-GCM-SHA384,2048,256
https://127.0.0.1/
Requests per second: 290.67 [#/sec] (mean)
Time per request: 344.027 [ms] (mean)
That's a bit strange, are you using the same 1024 bits DH parameters in
the cert file that the ones that are hardcoded in 1.5-dev22 and
1.5-dev24? Because then I would have expected the same results.
In the same conditions I get the same results, But look a the ciphers.
One test is for ECDHE, the other one is for DHE.
I tried to reproduce your tests with siege by comparing dev-22 without
DH parameters in the cert file and -dev23 with those:
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJJAJDXDoS5E03MNjnjK36eOL1tRqVa/9NuOVlI+lpXmPjJQbP65EvKn
fSLnG7VMhoCJO4KtG88zf393ltP7loGB2bofcDSr+x+XsxBM8yA/Zj6BmQt+CQ9s
TF7hoOV+wXTT6ErZ5y5qx9pq6hLfKXwTGFT78hrE6HnCO7xgtPdTAgEC
-----END DH PARAMETERS-----
I get roughly the same CPS (forcing haproxy to provide only DHE key
exchange with the ciphers keyword) for both versions, which seems logical.
I agree ;-)
--
Cyril Bonté
