On Tue, Dec 26, 2017 at 10:28:57AM +0100, Jérôme Magnin wrote: > 748 looks like what a single core on a VM can achieve in terms of private key > computation with rsa 2048 certs. You can confirm this by running the following > command in your vm: > > openssl speed rsa2048. > > 21000 is too high to be key computation only.
Indeed, clearly one is doing RSA only while the other one does resume. > > My haproxy config looks like this: > > https://gist.github.com/lucasRolff/36fc84ac44aad559c1d43ab6f30237c8 > > This configuration has no backend, so each request will be replied to with a > 503 > response containing a connection: close header, which means each request will > lead to a key computation. Good catch, indeed the error (even if it's rewritten as a fake 200) will result in the connection being aborted and I guess then the SSL context is not kept in ab in this case. Lucas, a better solution is to use a redirect, such as : redirect location /foo This will not cost much and will perform a complete HTTP rules evaluation as well. Some of the numbers we've observed here on a single core/single threaded core i7-4790 : 1350 TLSv1.2 key computations/s (RSA2048) 14000 TLSv1.2 connection resumes/s 180000 req/s over TLSv1.2 (keep-alive) By using the redirect above instead of the errorfile, you should be able to test all these. Willy