-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09.01.2014 03:51, Sam Varshavchik wrote: > > It's a lot of work, but the -t option with strace will log > timestamps, so it might be useful to compare strace timestamps, to > see if anything specific stands out. > > Another good test would be to take a message with one large > attachment, and time how long it takes to download this attachment, > with both the gnutls and the openssl-based servers. To be a valid > test, this might require the IMAP client to be configured from > scratch each time, otherwise it might cache the message's contents, > the first time, and use the cached download the second time. For a > valid test, I'd say that it should take at least ten seconds to > download with the openssl build. Each mbps-worth of bandwidth is > 100kb worth of traffic, so it would take about ten seconds to > download a megabyte-long attachment. So, figure, make up an > attachment with one megabyte per 1 mbps of your network bandwidth, > and double it for an extra margin. > > Then, if it will take significantly more than whatever it took to > download the attachment with OpenSSL, then I'd point the finger at > the low level cryptographic library used by gnutls. > > I got curious about this myself. Googling around suggests that > gnutls's poor performance has been documented before: > > http://panthema.net/2008/0714-cryptography-speedtest-comparison/ > > That's from 2008, not sure how valid this would be today; however > you say you're using Debian, and Debian stable typically > distributed older packages, it's plausible that you're running > circa-2008 software, which would make that article apply in your > situation. It's entirely possible that this is nothing more than > gnutls's poor performance. It took some testing and just in case someone else needs something like this, I describe it in detail here: Used tools: stunnel, expect, netcat, time Scenario: start expect-script logging into imap and downloading a message against a port opened by stunnel, which does the ecryption stuff to the endpoint. I did all localhost so I would have no bandwidth limitations. - -- stunnel.conf -- [imaps] accept = 10443 connect = localhost:993 client = yes - --test.sh-- #!/usr/bin/expect set timeout 30 proc abort {} { exit 2 } set ip [lindex $argv 0] set port [lindex $argv 1] set cmd [lindex $argv 2] spawn nc -C $ip $port expect "OK" send "A login <USERNAME> <PASSWORD>\r\n" expect "A OK" send "A select INBOX\r\n" expect "A OK" send "$cmd\r\n" expect "A OK" send "A logout\r\n" expect "A OK" - --putting it together- Using dd, i created two test files: one 1MB file and one 10MB file Then I created a new user account and sent him the two attachments. Mail ID #1 is 1MB in size, Mail ID #2 is 10MB in size. Open stunnel from (unencrypted) port 10443 -> (encrypted) 993 $ stunnel4 stunnel.conf Receive & time the 1MB file and pipe the output so time won't go up by a blocking console: $ time ./test.sh localhost 10443 "A fetch 1 rfc822.text" > \ /tmp/lastnctest Receive & time the 10MB file and pipe the output so time won't go up by a blocking console: $ time ./test.sh localhost 10443 "A fetch 2 rfc822.text" > \ /tmp/lastnctest Rinse and repeat. - --results-- This is, at least, unexpected. For the 1-MB-File, OpenSSL takes 0.355s and GnuTLS takes 0.316s For the 10-MB-File, OpenSSL takes 1.636s and GnuTLS takes 60.96 sec Next thing I will do: look at stack traces with GnuTLS and the 10-MB-File. I will report. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSztBnAAoJEPlcH1TTUTHLHSsP/3w37vQSB1YNNUz2u58H6a+x A1+AbUgRzuiy3ftuR2f2G6w9vaQwO/U8ngR/zd3yfoRrUwy6DDDKRv7pj/eCD0aW yAPdqXtUPcM9+8qTRmpTO6m6rpYdxmd+aE8MT2V2ZSh3snP1gICKcYEKhjmm5BZX YwG8yDVTXajKfV9BPDOr647NDLJhOskhMD/JP5EI4FUREtRlHFI4ADgz9cX+dD2N CnweJWJRuuhs7NqbI1nW3BbluwQT4Gv3AMU7TBEaCwwObdY2yTPZ8n6GKZUTTtAF Hx9Oc/xl3KL56Clj4q2Tnuy0XCtPVV3XivjVbvnY3S/Gs3xX769us1nCbLXpLQ+q rwQqYgLJTxHRt9rDCJwhrE8ajZ4CwKaw+iNXO5le2jlX50qYpTHYdcKv0sljSLzQ qjicGVVj5R/mqS9YWZIms3Hi/DzYgujova3jX3MCFakfa4htt4nW9hGvlBQIVhVv RctjfBlmlc2YFjLO/MpVqV+SSHsxHjZnIb7DwH5iU1D9rziuLsOz9ERTEjQ8fEmy P9sIQ8UNSejjcmp9qumfBCp1l5REOmt3u7c4gzv26dpatqxSOPjUkxIM8TXNJaG1 UQh1WjpobPmmyPk7LcdFXFCpX38F4GGNKM05dwIs4TacQFoDwvrCLyx14Jw1cfW9 Hx50z9Cxn5/GMzJszZQX =xBJA -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap