RE: mod_ssl performance problems - FreeBSD
Thanks for the information. What would be the recommended SSLCipherSuite settings to use? I would like to eliminate some of the lower security options, but I am curious what set of clients that would affect. Originally ports had added this line to httpd.conf SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL I then changed it to SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL And saw some huge performance changes. The TPS jumped from the 13-15 range into the lower 60 range. Also the total transaction time dropped by more than 2/3 of the original. So overall I have changed these parameters - SSLCipherSuite - see above, huge changes SSLRandomSeed - changed from /dev/random to /dev/urandom SSLSessionCacheTimeout - increased to 900 due to the time users will be in the app. What is the tradeoff memory-wise? Are there any other parameters that should be tuned? I have seen a lot about the SSLMutex but I am not sure I understand the value of making that change. Thanks again Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a k Sent: Monday, March 26, 2007 4:39 AM To: modssl-users@modssl.org Subject: RE: mod_ssl performance problems - FreeBSD The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV.
RE: mod_ssl performance problems - FreeBSD
Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim