Thanks for the information. What would be the recommended SSLCipherSuite
settings to use? I would like to eliminate some of the lower security
options, but I am curious what set of clients that would affect. Originally
ports had added this line to httpd.conf
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
I then changed it to
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
And saw some huge performance changes. The TPS jumped from the 13-15 range
into the lower 60 range. Also the total transaction time dropped by more
than 2/3 of the original.
So overall I have changed these parameters -
SSLCipherSuite - see above, huge changes
SSLRandomSeed - changed from /dev/random to /dev/urandom
SSLSessionCacheTimeout - increased to 900 due to the time users will be in
the app. What is the tradeoff memory-wise?
Are there any other parameters that should be tuned? I have seen a lot about
the SSLMutex but I am not sure I understand the value of making that change.
Thanks again
Tim
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of a k
Sent: Monday, March 26, 2007 4:39 AM
To: modssl-users@modssl.org
Subject: RE: mod_ssl performance problems - FreeBSD
The cipher you allow will have a big impact on performance.
Tim Lovelace [EMAIL PROTECTED] wrote:
Thanks for the response. Although I expected a pretty decent difference
between HTTP and HTTPS I didnt realize it would be so significant. Both
machines are small P3 2ghz boxes, the client side is running Ubuntu. They
are connected to the same switch. For the ab options I am running
ab -n 1000 -c 100 s https://targethost
I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 seconds
to setup. Is there some good general tuning I should try out?
Thanks
Tim
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users@modssl.org
Cc: [EMAIL PROTECTED]
Subject: RE: mod_ssl performance problems - FreeBSD
What hardwre are you using for the client and the server? are you running
ab from localhost? What options are you using with ab?
Most of the CPU cycles in each transaction are going to be spent in the SSL
handshake. I just did a quick test of one of my servers running 1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for HTTP, and 24 for HTTPS. I suspect that the latter may represent the
capabilities of my client machine rather than the server machine.
If you want fast SSL, you need hardware acceleration.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,
I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I am currently running the following software
Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1
All built from ports. In testing of the web application I noticed that once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server can
process about 700 requests per second. Using SSL the number is in the 13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows that
there are plenty of resources available. Any help would be appreciated.
Tim
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
TV dinner still cooling?
Check out Tonight's Picks on Yahoo! TV.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
