Hello everybody,
I hope I didn't muss an existing thread about this question, but I wasn't able to find one. At least none where I found an answer, although my question is quite simple.
I would like to test the performance difference between enabled and disabled SSLCaching. I use a configuration file for Stunnel 4.11 (daemon mode) where I tell it to accept incoming connections on port 444 and direct them to a local web-server on port 80.
Because STunnel uses Caching by default, I tried to tell STunnel to disable SSL Caching by setting session = 0 in the configuration file, which resulted in an error when starting the program. I looked at the code and found that there is a check so that the session parameter can not be equal to 0. I disabled the check and started stunnel again which seemed to work.
But taking a look at the packets exchanged via a browser and the server resulted in the conclusion that caching is still enabled.
My simple question is, how I can disable the Caching.
Another question is if anyone of you has made any performance tests regarding STunnel in combination with an Apache HTTP server on the same machine. I'm specially interested in modes to get this combination run faster. And now please do not tell me to use mod_ssl. :)
Thanks in advance.
Daniel
I would like to test the performance difference between enabled and disabled SSLCaching. I use a configuration file for Stunnel 4.11 (daemon mode) where I tell it to accept incoming connections on port 444 and direct them to a local web-server on port 80.
Find code like this in the stunnel source:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
SSL_set_session(c->ssl, ctx->session_cache_head))
and comment any occurances out. Recompile. Should do the trick.
Another question is if anyone of you has made any performance tests regarding STunnel in combination with an Apache HTTP server on the same machine. I'm specially interested in modes to get this combination run faster. And now please do not tell me to use mod_ssl. :)
Benchmark different key lengths and ciphers until you find the one that's fastest.
And use session caching!
On 2005-07-19, at 06:26, Brian Hatch wrote:
Benchmark different key lengths and ciphers until you find the one that's fastest.
And use session caching!
BTW: Did you see my benchmarks? http://stunnel.mirt.net/perf.html
Best regards, Mike
Hey Michael,
also thanks to you.
BTW: Did you see my benchmarks? http://stunnel.mirt.net/perf.html
Yes I did, but can you offer me any further details about the tests?
Greetings, Daniel
On 2005-07-19, at 11:11, Daniel Hamburg wrote:
BTW: Did you see my benchmarks? http://stunnel.mirt.net/perf.html
Yes I did, but can you offer me any further details about the tests?
I was testing it last year, but I remember I was using sslswamp utility from distcache package: http://sourceforge.net/projects/distcache/ -session parameter is a flexible way to control session cache usage. AFAIR stunnel server was connecting to chargen service provided by xinetd.
Best regards, Mike
Hey Brian,
thanks for the fast reply.
Find code like this in the stunnel source:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); SSL_set_session(c->ssl, ctx->session_cache_head))and comment any occurances out. Recompile. Should do the trick.
I did that. Found the first instruction in SSL.c and the second in client.c. Commenting them out and recompilation did not help. STunnel still uses Caching. Correct me if I'm wrong, but afaik STunnel uses OpenSSL to handle SSL related things. I think OpenSSL uses a pre defined Session Timer of 300 s and simply commenting out the code in STunnel does not prevent OpenSSL from using his default value. We tried also to change the code and comment the check, if the session timer is at least equal to 1, out, but that still did not help.
Benchmark different key lengths and ciphers until you find the one that's fastest. And use session caching!
Yes, we tried different parameters, but mod_ssl is about 50% faster than STunnel and Apache. But I think, that is quite normal.
Greetings, Daniel
-
Brian Hatch -
Daniel Hamburg -
Michal Trojnara