On Sat, Apr 26, 2014 at 01:41:21PM +0200, Cyril Bonté wrote: > With haproxy 1.5-dev23 and no DH parameters in the cert file : > $ ab -n1000 -c100 -Z ECDHE-RSA-AES256-GCM-SHA384,2048,256 https://127.0.0.1/ > > Requests per second: 427.94 [#/sec] (mean) > Time per request: 233.679 [ms] (mean) > > $ ab -n1000 -c100 -Z DHE-RSA-AES256-GCM-SHA384,2048,256 https://127.0.0.1/ > > Requests per second: 72.10 [#/sec] (mean) > Time per request: 1386.985 [ms] (mean) > > The same test with 1024 bits DH parameters in the cert file : > $ ab -n1000 -c100 -Z DHE-RSA-AES256-GCM-SHA384,2048,256 https://127.0.0.1/ > > Requests per second: 290.67 [#/sec] (mean) > Time per request: 344.027 [ms] (mean) > > And with 2048 bits DH parameters : > > $ ab -n1000 -c100 -Z DHE-RSA-AES256-GCM-SHA384,2048,256 https://127.0.0.1/ > > Requests per second: 74.01 [#/sec] (mean) > Time per request: 1351.196 [ms] (mean) > > The same performance and CPU usage will occur with 1.5-dev24 in this > conditions.
BTW, I rediscovered Vincent's very instructive article on DHE vs ECDHE here : http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html It helped me fix the SSL config for the demo page which now gets an A grade on SSL labs : https://www.ssllabs.com/ssltest/analyze.html?d=demo.haproxy.org I really recommend this reading to those for whom, like me, all this is far from being obvious. Cheers, Willy
