On Thu, Jan 21, 2016 at 11:11 AM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Gary, > > On Thu, Jan 07, 2016 at 09:48:59PM -0800, Gary Barrueto wrote: > > I've been testing ssl with version 1.5.14 and 1.6.3. I noticed that with > > larger files (1mb) reqs/sec is on average 7% slower and as much as 16% > > depending on the cipher when using version 1.6.3 compared to 1.5.14. > > Smaller requests (4k files) are not affected. Haproxy is using the exact > > same config for each version and is using nginx on localhost to serve the > > static files. We're getting our stats from running wrk benchmark tool > > ??? ??? > > which is running from another server with the same hardware spec which is > > connected on the same switch. > > ??? ??? > > Any ideas what may be causing this? > > Unfortunately not. Do you have a way to ensure the same algorithms are > negociated on both versions ? I've run a diff between 1.5.14 and 1.6.3 > regarding SSL, and it's very limited. Most of the changes affect OpenSSL > 1.0.2 (you're on 1.0.1), or automatic DH params and in your case they're > already forced. >
That what I'm exactly doing now by forcing the client to only negotiate the specific protocol/cipher. The largest difference we see is with ECDHE-RSA-AES256-SHA384/TlS1.2+keepalive 16% slower then compared to 1.5.14. > > There's something though, I'm seeing SSL_MODE_SMALL_BUFFERS being added > in 1.6. It only comes with a patch and is not standard, it allows openssl > to use less memory for small messages. Could you please run the following > command to see what SSL_MODE_* options are defined on your system : > > $ grep -rF SSL_MODE_ /usr/include/openssl/ > > Here is the output from the command. gary:~$ grep -rF SSL_MODE_ /usr/include/openssl/ /usr/include/openssl/ssl.h:#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L /usr/include/openssl/ssl.h:#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L /usr/include/openssl/ssl.h:#define SSL_MODE_AUTO_RETRY 0x00000004L /usr/include/openssl/ssl.h:#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /usr/include/openssl/ssl.h:#define SSL_MODE_RELEASE_BUFFERS 0x00000010L /usr/include/openssl/ssl.h:#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L > > I have the 'haproxy -vv' output and hardware specs listed below. Also > > attaching the haproxy/nginx configs being used. > > Thank you, I'm really not seeing a > > nything suspicious there. There's > something that you should definitely do if you're running on a kernel 3.9 > or later, which is to use as many "bind" lines per frontend as you have > processes. That makes use of the kernel's SO_REUSEPORT mechanism to balance > the load across all processes much more evenly than when there's a single > queue. It might be possible that your load is imbalanced right now. > > I've just tested with a 3.13 kernel (backported from ubuntu 14.04/trusty) and we see near same results. > > Other then that version 1.6.3 seems to be preforming well on smaller > > requests. Its the larger requests we're worried about as thats the size > of > > the majority of the traffic we want on ssl. > > That's what puzzles me. Usually the SSL performance issues are more visible > on small objects than large ones because they're caused by larger keys or > more costly protocols. Here it would imply either more buffer exchnages, > or more expensive symmetric crypto. > > Just out of curiosity, what is the order of magnitude of the numbers you're > observing ? > > Regards, > willy > > Here is a small sample of what we've seen with a 1m payload. cipher protocol mode reqs/sec reqs/sec % difference haproxy 1.5.14 haproxy 1.6.3 ECDHE-RSA-AES256-SHA384 TLS1.2 non-keepalive 208.92 184.25 -13.39% ECDHE-RSA-AES256-SHA384 TLS1.2 keepalive 224.76 192.12 -16.99% ECDHE-RSA-AES128-SHA256 TLS1.2 keepalive 174.91 159.67 -9.54% ADH-AES128-SHA TLS1.1 keepalive 363.38 336.24 -8.07% -gary