* > **On Fri Apr 19 17:10:31 CEST 2013, **Michal Trojnara* Michal.Trojnara at mirt.net <stunnel-users%40stunnel.org?Subject=Re%3A%20%5Bstunnel-users%5D%20Inconsistent%20performance%20across%20stunnel%20and/or%0A%20OpenSSL%20versions&In-Reply-To=%3C51715E67.1000701%40mirt.net%3E> wrote:
Hi PPingPongBaker,
Could you repeat your tests with: ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:-MEDIUM:RC4:+HIGH and ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:!ECDH:-MEDIUM:RC4:+HIGH
?
It might be interesting to see the performance with DH (and possibly also ECDH) ciphersuites completely disabled.
Hi Mike,
The best compilation of results on this topic that I have seen and agree with are at [1]
DHE modular exponentiation really hurts SSL performance; no wonder Google resorted to ECDHE.
[1] http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
On Thu, Apr 18, 2013 at 12:02 PM, PPingPongBaker PPingPongBaker < ppingpongbaker@gmail.com> wrote:
It appears including static DH params in the certificate brings the performance back up in 4.40 and onward.
Would like to mark this RESOLVED.
Regards.
On Wed, Apr 17, 2013 at 11:29 PM, PPingPongBaker PPingPongBaker < ppingpongbaker@gmail.com> wrote:
Another data point after a binary search across versions keeping OpenSSL version identical at 1.0.1e
I see this performance regression between stunnel versions 4.39 and 4.40.
Regards.
On Wed, Apr 17, 2013 at 4:46 PM, PPingPongBaker PPingPongBaker < ppingpongbaker@gmail.com> wrote:
On Wed, Apr 17, 2013 at 12:23 PM, Janusz Dziemidowicz < rraptorr@nails.eu.org> wrote:
2013/4/17 PPingPongBaker PPingPongBaker ppingpongbaker@gmail.com:
If you want to compare various stunnel versions, then use the same OpenSSL version. If you want to compare OpenSSL... then use the same stunnel version. The configuration you mentioned above doesn't make a lot of sense as it makes it hard to tell where the performance drop comes from. If you really must test such configuration, the best way would be to ensure the same TLS version (1.0, not 1.1 or 1.2, OpenSSL 1.0.1 defaults to 1.2) and the same cipher.
Hi Janusz,
As per your suggestions and mea culpa in some stated results. Here is a hopefully complete/better matrix. Making sure that CPU is pegged at 100% and in stunnel.conf (sslVersion = TLSv1)
stunnel 4.29, OpenSSL 0.9.8o - ~300 requests per sec stunnel 4.29, OpenSSL 1.0.1e - ~360 requests per sec stunnel 4.56, OpenSSL 0.9.8o - ~100 requests per sec stunnel 4.56, OpenSSL 1.0.1e - ~120 requests per sec
Regards.