ssl3_get_cert_verify performance
Hello devs, Right now I'm doing a lot of benchmarks, trying to figure out how to make my https server as fast as are others (for example, nginx). I've found that somewhere between 0.9.8 and 1.0.1c ssl3_get_cert_verify has started spending much more time than it was. I wonder if you're aware of it, or if this thing can depend on some SSL_CTX mode/flag. Here are flamegraphs for you to make it more clearer what I'm talking about: * My server (openssl1.0.1c) - http://blog.indutny.com/f/tlsnappy-x64.svg * Nginx (openssl0.9.8) - http://blog.indutny.com/f/nginx.svg And here are sources of my server, just in case if you need them to figure something out: https://github.com/indutny/tlsnappy/blob/master/src/tlsnappy.cc Thank you, Fedor.
Re: ssl3_get_cert_verify performance
I'm affraid flamegraphs for two different servers with two different OpenSSL libraries without information about type of load it was collected with and without any information other than smth. started spending much more time than it was can not give much information about root cause for the issue. You may start with: 1. Describing you test procedure. (what are you measuring? Handshakes? Data transfer? Multithreaded?) 2. Describing test environment (type of certificates, key length, used chiphersuites, etc) 3. Measure performance differences in absolute values (ms, handshakes per second, etc) 4. Measure nginx perfromance with two different OpenSSL versions. 5. Measure your server performance with two different OpenSSL versions. 6. Share your findings. On 5 January 2013 13:14, Fedor Indutny fe...@indutny.com wrote: Hello devs, Right now I'm doing a lot of benchmarks, trying to figure out how to make my https server as fast as are others (for example, nginx). I've found that somewhere between 0.9.8 and 1.0.1c ssl3_get_cert_verify has started spending much more time than it was. I wonder if you're aware of it, or if this thing can depend on some SSL_CTX mode/flag. Here are flamegraphs for you to make it more clearer what I'm talking about: * My server (openssl1.0.1c) - http://blog.indutny.com/f/tlsnappy-x64.svg * Nginx (openssl0.9.8) - http://blog.indutny.com/f/nginx.svg And here are sources of my server, just in case if you need them to figure something out: https://github.com/indutny/tlsnappy/blob/master/src/tlsnappy.cc Thank you, Fedor.
Re: ssl3_get_cert_verify performance
Andrey, Thank you for replying. 1. I'm running apache benchmark utility: ab -c 100 -n 10 https://localhost:44300/ . And I'm measuring handshakes/sec. 2. Certificates are here https://github.com/indutny/tlsnappy/tree/master/keys and connections are using following ciphers: Cipher Suite Protocol :TLSv1/SSLv3 Cipher Suite Name :AES256-SHA Cipher Suite Cipher Bits:256 (256) 3. Results of benchmarks are posted here : http://blog.indutny.com/1.to-lock-or-not-to-lock at the bottom of page in Results section. 4. I'm afraid I won't be able to do it anywhere soon, since I've only one smartos (solaris) server at hand right now (which I can't clobber). 5. This is rather complicated right now too, see 4 Cheers, Fedor. On Sat, Jan 5, 2013 at 4:26 PM, Andrey Kulikov amde...@gmail.com wrote: I'm affraid flamegraphs for two different servers with two different OpenSSL libraries without information about type of load it was collected with and without any information other than smth. started spending much more time than it was can not give much information about root cause for the issue. You may start with: 1. Describing you test procedure. (what are you measuring? Handshakes? Data transfer? Multithreaded?) 2. Describing test environment (type of certificates, key length, used chiphersuites, etc) 3. Measure performance differences in absolute values (ms, handshakes per second, etc) 4. Measure nginx perfromance with two different OpenSSL versions. 5. Measure your server performance with two different OpenSSL versions. 6. Share your findings. On 5 January 2013 13:14, Fedor Indutny fe...@indutny.com wrote: Hello devs, Right now I'm doing a lot of benchmarks, trying to figure out how to make my https server as fast as are others (for example, nginx). I've found that somewhere between 0.9.8 and 1.0.1c ssl3_get_cert_verify has started spending much more time than it was. I wonder if you're aware of it, or if this thing can depend on some SSL_CTX mode/flag. Here are flamegraphs for you to make it more clearer what I'm talking about: * My server (openssl1.0.1c) - http://blog.indutny.com/f/tlsnappy-x64.svg * Nginx (openssl0.9.8) - http://blog.indutny.com/f/nginx.svg And here are sources of my server, just in case if you need them to figure something out: https://github.com/indutny/tlsnappy/blob/master/src/tlsnappy.cc Thank you, Fedor.