Andrey, Thank you for replying.
1. I'm running apache benchmark utility: ab -c 100 -n 100000 https://localhost:44300/ . And I'm measuring handshakes/sec. 2. Certificates are here https://github.com/indutny/tlsnappy/tree/master/keys and connections are using following ciphers: Cipher Suite Protocol :TLSv1/SSLv3 Cipher Suite Name :AES256-SHA Cipher Suite Cipher Bits:256 (256) 3. Results of benchmarks are posted here : http://blog.indutny.com/1.to-lock-or-not-to-lock at the bottom of page in "Results" section. 4. I'm afraid I won't be able to do it anywhere soon, since I've only one smartos (solaris) server at hand right now (which I can't clobber). 5. This is rather complicated right now too, see 4 Cheers, Fedor. On Sat, Jan 5, 2013 at 4:26 PM, Andrey Kulikov <[email protected]> wrote: > I'm affraid flamegraphs for two different servers with two different > OpenSSL libraries without information about type of load it was collected > with and without any information other than "smth. started spending much > more time than it was" can not give much information about root cause for > the issue. > > You may start with: > 1. Describing you test procedure. (what are you measuring? Handshakes? > Data transfer? Multithreaded?) > 2. Describing test environment (type of certificates, key length, used > chiphersuites, etc) > 3. Measure performance differences in absolute values (ms, handshakes per > second, etc) > 4. Measure nginx perfromance with two different OpenSSL versions. > 5. Measure your server performance with two different OpenSSL versions. > 6. Share your findings. > > > On 5 January 2013 13:14, Fedor Indutny <[email protected]> wrote: > >> Hello devs, >> >> Right now I'm doing a lot of benchmarks, trying to figure out how to make >> my https server as fast as are others (for example, nginx). I've found that >> somewhere between 0.9.8 and 1.0.1c ssl3_get_cert_verify has started >> spending much more time than it was. >> >> I wonder if you're aware of it, or if this thing can depend on some >> SSL_CTX mode/flag. >> >> Here are flamegraphs for you to make it more clearer what I'm talking >> about: >> >> * My server (openssl1.0.1c) - http://blog.indutny.com/f/tlsnappy-x64.svg >> * Nginx (openssl0.9.8) - http://blog.indutny.com/f/nginx.svg >> >> And here are sources of my server, just in case if you need them to >> figure something out: >> https://github.com/indutny/tlsnappy/blob/master/src/tlsnappy.cc >> >> Thank you, >> Fedor. >> > >
