Hi again,
Le 10/10/2012 00:06, Willy Tarreau a écrit :
Hi Baptiste,
On Tue, Oct 09, 2012 at 11:58:27PM +0200, Baptiste wrote:
Hi Cyril, Willy,
There are a few parameter which may impact SSL performance:
- the version of openssl library
- the SSL/TLS version protocol in use
- the cypher used
At this point, none of this parameter would cause a drop from
500 to only 70/s ! I really suspect a lack of session caching
(if CPU is at 100%) or some processing latency somewhere (if
processor usage is very low).
Willy
OK got it. After tracking commits, i realized that the certificate I
used for the tests provided DH parameters, which were supported in
haproxy 7 days ago with this commit :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=a4bcd9a5a80428629b67dfa6b0ec1ac63b9e69d5
But at the same time, another commit provided the "ecdhe" keyword :
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=2b58d040b692ea10edeb2205e02130aeffc9a910
Adding "ecdhe" to the configuration, with the same curve used as default
in stunnel (prime256v1) helped (around 300 requests/sec with "nbproc 1",
and 500 req/s with 8 processes).
So, all is good ;-)
--
Cyril Bonté
