>From: [email protected] On Behalf Of Sukalp Bhople >Sent: Friday, 29 June, 2012 15:30
>I am trying to measure server performance for client certificate verification. >However, there is no significant difference in the server performance >when I send one certificate and condition when I send chain of 10 certificates. I assume this is really a chain, i.e. the client cert depends on all the chain certs on the way to a root. If you send certs that aren't needed, OpenSSL will ignore them and they have no effect except using some network bandwidth (and transmission time, but in today's Internet transmission time for a cert of 1kbyte or so is almost zero). >I am aware that certificate verification is a public key operation. >But shouldn't it make some difference? is there any cashing mechanism >or something else? I assume (you are certain) the server uses OpenSSL, otherwise this is not the right place to ask. There may be caching of the certs in memory depending on whether the server uses CAfile, CApath, or a custom X509_LOOKUP; this could save I/O time. When last I read the code, unless it's modified, there is no caching of trust, and the verification is re-done. If you are using RSA authentication (certs), and depending on whether you are using RSA key-exchange or DHE or ECDHE, it wouldn't surprise me if the other operations that occur during a handshake are 100s or 1000s times more expensive than the cert verification(s), which would make effect of the cert verification(s) hard to measure externally (without a high-res clock inserted into the server code). Also, are you sure you are doing full handshakes? OpenSSL server can cache sessions*, and if you are testing with a single client that also does so (Java for example does by default) then both server and client auth are bypassed. (The session parameters are a temporary shared secret, which is supposedly sufficient.) (* OpenSSL since a long time does traditional session caching. Recent versions also do RFC-4507 tickets, but I haven't seen clients using those yet.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
