[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions

Michal Trojnara Michal.Trojnara at mirt.net
Fri Apr 19 17:10:31 CEST 2013


Hi PPingPongBaker,

Could you repeat your tests with:
    ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:-MEDIUM:RC4:+HIGH
and
    ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:!DH:!ECDH:-MEDIUM:RC4:+HIGH
?

It might be interesting to see the performance with DH (and possibly
also ECDH) ciphersuites completely disabled.

TIA,
    Mike

On 2013-04-18 21:02, PPingPongBaker PPingPongBaker wrote:
>
> It appears including static DH params in the certificate brings the
> performance back up in 4.40 and onward.
>
> Would like to mark this RESOLVED.
>
> Regards.
>
>
> On Wed, Apr 17, 2013 at 11:29 PM, PPingPongBaker PPingPongBaker
> <ppingpongbaker at gmail.com <mailto:ppingpongbaker at gmail.com>> wrote:
>
>     Another data point after a binary search across versions keeping
>     OpenSSL version identical at 1.0.1e
>
>     I see this performance regression between stunnel versions 4.39
>     and 4.40.
>
>     Regards.
>
>
>     On Wed, Apr 17, 2013 at 4:46 PM, PPingPongBaker PPingPongBaker
>     <ppingpongbaker at gmail.com <mailto:ppingpongbaker at gmail.com>> wrote:
>
>
>         On Wed, Apr 17, 2013 at 12:23 PM, Janusz Dziemidowicz
>         <rraptorr at nails.eu.org <mailto:rraptorr at nails.eu.org>> wrote:
>
>             2013/4/17 PPingPongBaker PPingPongBaker
>             <ppingpongbaker at gmail.com <mailto:ppingpongbaker at gmail.com>>:
>
>
>             If you want to compare various stunnel versions, then use
>             the same
>             OpenSSL version. If you want to compare OpenSSL... then
>             use the same
>             stunnel version. The configuration you mentioned above
>             doesn't make a
>             lot of sense as it makes it hard to tell where the
>             performance drop
>             comes from. If you really must test such configuration,
>             the best way
>             would be to ensure the same TLS version (1.0, not 1.1 or
>             1.2, OpenSSL
>             1.0.1 defaults to 1.2) and the same cipher.
>
>
>         Hi Janusz,
>
>         As per your suggestions and mea culpa in some stated results.
>         Here is a hopefully complete/better matrix. Making sure that
>         CPU is pegged at 100% and in stunnel.conf (sslVersion = TLSv1)
>
>         stunnel 4.29, OpenSSL 0.9.8o - ~300 requests per sec
>         stunnel 4.29, OpenSSL 1.0.1e - ~360 requests per sec
>         stunnel 4.56, OpenSSL 0.9.8o - ~100 requests per sec
>         stunnel 4.56, OpenSSL 1.0.1e - ~120 requests per sec
>
>         Regards.
>
>
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130419/c46137ee/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130419/c46137ee/attachment.sig>


More information about the stunnel-users mailing list