[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions

• Previous message (by thread): [stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions
• Next message (by thread): [stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* > **On Fri Apr 19 17:10:31 CEST 2013, **Michal Trojnara*
Michal.Trojnara at mirt.net
<stunnel-users%40stunnel.org?Subject=Re%3A%20%5Bstunnel-users%5D%20Inconsistent%20performance%20across%20stunnel%20and/or%0A%20OpenSSL%20versions&In-Reply-To=%3C51715E67.1000701%40mirt.net%3E>
wrote:

> Hi PPingPongBaker,

> Could you repeat your tests with:
>    ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:-MEDIUM:RC4:+HIGH
> and
>    ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:!ECDH:-MEDIUM:RC4:+HIGH
?

> It might be interesting to see the performance with DH (and possibly
> also ECDH) ciphersuites completely disabled.

Hi Mike,

The best compilation of results on this topic that I have seen and
agree with are at [1]

DHE modular exponentiation really hurts SSL performance; no wonder
Google resorted to ECDHE.

[1] http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html



On Thu, Apr 18, 2013 at 12:02 PM, PPingPongBaker PPingPongBaker <
ppingpongbaker at gmail.com> wrote:

>
> It appears including static DH params in the certificate brings the
> performance back up in 4.40 and onward.
>
> Would like to mark this RESOLVED.
>
> Regards.
>
>
> On Wed, Apr 17, 2013 at 11:29 PM, PPingPongBaker PPingPongBaker <
> ppingpongbaker at gmail.com> wrote:
>
>> Another data point after a binary search across versions keeping OpenSSL
>> version identical at 1.0.1e
>>
>> I see this performance regression between stunnel versions 4.39 and 4.40.
>>
>> Regards.
>>
>>
>> On Wed, Apr 17, 2013 at 4:46 PM, PPingPongBaker PPingPongBaker <
>> ppingpongbaker at gmail.com> wrote:
>>
>>>
>>> On Wed, Apr 17, 2013 at 12:23 PM, Janusz Dziemidowicz <
>>> rraptorr at nails.eu.org> wrote:
>>>
>>>> 2013/4/17 PPingPongBaker PPingPongBaker <ppingpongbaker at gmail.com>:
>>>>
>>>>
>>>> If you want to compare various stunnel versions, then use the same
>>>> OpenSSL version. If you want to compare OpenSSL... then use the same
>>>> stunnel version. The configuration you mentioned above doesn't make a
>>>> lot of sense as it makes it hard to tell where the performance drop
>>>> comes from. If you really must test such configuration, the best way
>>>> would be to ensure the same TLS version (1.0, not 1.1 or 1.2, OpenSSL
>>>> 1.0.1 defaults to 1.2) and the same cipher.
>>>>
>>>>
>>> Hi Janusz,
>>>
>>> As per your suggestions and mea culpa in some stated results. Here is a
>>> hopefully complete/better matrix. Making sure that CPU is pegged at 100%
>>> and in stunnel.conf (sslVersion = TLSv1)
>>>
>>> stunnel 4.29, OpenSSL 0.9.8o - ~300 requests per sec
>>> stunnel 4.29, OpenSSL 1.0.1e - ~360 requests per sec
>>> stunnel 4.56, OpenSSL 0.9.8o - ~100 requests per sec
>>> stunnel 4.56, OpenSSL 1.0.1e - ~120 requests per sec
>>>
>>> Regards.
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130422/595f6c35/attachment.html>

• Previous message (by thread): [stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions
• Next message (by thread): [stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]