Hi, On 31-12-20, Hauke Mehrtens wrote: > > I looked into performance problems of LuCI when using https some time ago. > > > > The slow part was the handshake, the normal stream cipher is relatively > > fast, even very slow devices should be able to do multiple MB/s. > > > > On the server side the ECC handshake was much faster, I think I measured > > values like 1 second (RSA) vs. 0.3 seconds (ECC) for the handshake on a > > Lantiq MIPS 24Kec CPU with mbedtls, the RSA handshake was much faster > > (0.5 seconds) with openssl. > > > > We should activate support for ECC certificates on > > https://downloads.openwrt.org, I think it is possible to use both RSA > > and ECC on the server and then decide based on what the client supports > > and wants. In OpenWrt we could use then ECC to authenticate the server. > > The crypto parts should already be there as we need ECDH for SAE in > > hostapd. > > > > We could use TLS Session Resumption, the SSL libraries should support > > it, this way we can easily reuse the same session for the next download. > > Browsers do this to only do one SSL handshake and then have multiple TCP > > connections to the server to download the material in parallel. > > > > Hauke > > The changes I did are here: > https://git.openwrt.org/f2c8f6dc3249b506b915741d12905402dfffe162 > https://git.openwrt.org/e8a1469 > > These are only for mbedtls and not for openssl/wolfssl it could be that this > causes some problems. I would also assume that openssl is much faster than > wolfssl, so we do not see these problems so much with openssl.
Thanks for the hints and the links. I assume that the TLS session cache is only kept in memory? This makes sense for a server process, but it is less useful on the client side. Especially because currently opkg forks to call uclient-fetch individually for each package download. It would be useful when downloading several files with one uclient-fetch invocation, but this feature is broken. In any case, you're right: it's a good idea to benchmark before trying to optimize something. Once I fixed my test devices, I will run performance tests with client-side TLS. Thanks, Baptiste
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel