<div dir="ltr"><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><b style="font-family:'Times New Roman';font-size:medium;white-space:normal"> > </b><i style="font-family:'Times New Roman';font-size:medium;white-space:normal">On Fri Apr 19 17:10:31 CEST 2013, </i><b style="font-family:'Times New Roman';font-size:medium;white-space:normal">Michal Trojnara</b><span style="font-family:'Times New Roman';font-size:medium;white-space:normal"> </span><a href="mailto:stunnel-users%40stunnel.org?Subject=Re%3A%20%5Bstunnel-users%5D%20Inconsistent%20performance%20across%20stunnel%20and/or%0A%20OpenSSL%20versions&In-Reply-To=%3C51715E67.1000701%40mirt.net%3E" title="[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions" style="font-family:'Times New Roman';font-size:medium;white-space:normal">Michal.Trojnara at mirt.net </a> wrote:</pre>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)">> <span style="font-family:arial">Hi PPingPongBaker,</span></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">> Could you repeat your tests with:
> ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:-MEDIUM:RC4:+HIGH
> and
> ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:!ECDH:-MEDIUM:RC4:+HIGH
?
> It might be interesting to see the performance with DH (and possibly
> also ECDH) ciphersuites completely disabled.
Hi Mike,</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">The best compilation of results on this topic that I have seen and agree with are at [1]</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">DHE modular exponentiation really hurts SSL performance; no wonder Google resorted to ECDHE.</pre>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)"><pre style="white-space:pre-wrap">[1] <a href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html</a></pre>
</pre><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 18, 2013 at 12:02 PM, PPingPongBaker PPingPongBaker <span dir="ltr"><<a href="mailto:ppingpongbaker@gmail.com" target="_blank">ppingpongbaker@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><br>It appears including static DH params in the certificate brings the performance back up in 4.40 and onward.<br>
<br></div>Would like to mark this RESOLVED.<br><br></div>Regards.<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Apr 17, 2013 at 11:29 PM, PPingPongBaker PPingPongBaker <span dir="ltr"><<a href="mailto:ppingpongbaker@gmail.com" target="_blank">ppingpongbaker@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Another data point after a binary search across versions keeping OpenSSL version identical at 1.0.1e<div>
<br></div><div>I see this performance regression between stunnel versions 4.39 and 4.40.</div><div class="gmail_extra">
<br></div><div class="gmail_extra">Regards.</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 17, 2013 at 4:46 PM, PPingPongBaker PPingPongBaker <span dir="ltr"><<a href="mailto:ppingpongbaker@gmail.com" target="_blank">ppingpongbaker@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 17, 2013 at 12:23 PM, Janusz Dziemidowicz <span dir="ltr"><<a href="mailto:rraptorr@nails.eu.org" target="_blank">rraptorr@nails.eu.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2013/4/17 PPingPongBaker PPingPongBaker <<a href="mailto:ppingpongbaker@gmail.com" target="_blank">ppingpongbaker@gmail.com</a>>:<div>
<br>
<br>
If you want to compare various stunnel versions, then use the same<br>
OpenSSL version. If you want to compare OpenSSL... then use the same<br>
stunnel version. The configuration you mentioned above doesn't make a<br>
lot of sense as it makes it hard to tell where the performance drop<br>
comes from. If you really must test such configuration, the best way<br>
would be to ensure the same TLS version (1.0, not 1.1 or 1.2, OpenSSL<br>
1.0.1 defaults to 1.2) and the same cipher.<br>
<br></div></blockquote><div><br>Hi Janusz,<br><br></div><div>As per your suggestions and mea culpa in some stated results. Here is a hopefully complete/better matrix. Making sure that CPU is pegged at 100% and in stunnel.conf (sslVersion = TLSv1)<br>
<br></div><div>stunnel 4.29, OpenSSL 0.9.8o - ~300 requests per sec<br></div><div>stunnel 4.29, OpenSSL 1.0.1e - ~360 requests per sec<br>stunnel 4.56, OpenSSL 0.9.8o - ~100 requests per sec<br></div><div>stunnel 4.56, OpenSSL 1.0.1e - ~120 requests per sec<br>
</div><div><br></div><div>Regards.<br></div></div></div></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>