mod_ssl performance problems - FreeBSD

This is a multi-part message in MIME format.

------=_NextPart_000_008B_01C76EAA.570FD6E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,



I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I am currently running the following software



Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1



All built from ports. In testing of the web application I noticed that once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server can
process about 700 requests per second. Using SSL the number is in the 13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows that
there are plenty of resources available. Any help would be appreciated.





Tim


------=_NextPart_000_008B_01C76EAA.570FD6E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">

RE: mod_ssl performance problems - FreeBSD

This is a multi-part message in MIME format.

------=_NextPart_000_071C_01C76ED7.199C0DB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

What hardwre are you using for the client and the server? are you running
ab from localhost? What options are you using with ab?

Most of the CPU cycles in each transaction are going to be spent in the SSL
handshake. I just did a quick test of one of my servers running 1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for
HTTP, and 24 for HTTPS. I suspect that the latter may represent the
capabilities of my client machine rather than the server machine.

If you want fast SSL, you need hardware acceleration.


_____

From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject: mod_ssl performance problems - FreeBSD



Hello,



I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I am currently running the following software



Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1



All built from ports. In testing of the web application I noticed that once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server can
process about 700 requests per second. Using SSL the number is in the 13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows that
there are plenty of resources available. Any help would be appreciated.





Tim


------=_NextPart_000_071C_01C76ED7.199C0DB0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word">
charset=3Dus-ascii">

style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">

---

From: =
owner-modssl-users@modssl.org=20
[mailto:owner-modssl-users@modssl.org] On Behalf Of Tim=20
Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To:=20
modssl-users@modssl.org
Subject: mod_ssl performance =
problems -=20
FreeBSD

style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Hello,

style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"> 

style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I am having some issues =
with my=20
SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently =
running the=20
following software

style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"> 

style=3D"FONT-SIZE: 12pt">Server Version: Apache/1.3.37 (Unix) =
PHP/5.1.6 with=20
Suhosin-Patch mod_ssl/2.8.28 =
OpenSSL/0.9.7e-p1

style=3D"FONT-SIZE: 12pt"> 

style=3D"FONT-SIZE: 12pt">All built from ports. In testing of the web=20
application I noticed that once SSL was added the initial login to the =
site=20
was slowing down. I did some testing using Apache Bench and have =
noticed that=20
without SSL the server can process about 700 requests per second. =
Using SSL=20
the number is in the 13-15 range. I have tried changing a few =
parameters (log=20
level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. =
Using=20
server_status shows that there are plenty of resources available. Any =
help=20
would be appreciated.

style=3D"FONT-SIZE: 12pt"> 

style=3D"FONT-SIZE: 12pt"> 

style=3D"FONT-SIZE: 12pt">Tim size=3D2> style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">

RE: mod_ssl performance problems - FreeBSD

Thanks for the response. Although I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. =
Both
machines are small P3 2ghz boxes, the client side is running Ubuntu. =
They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 =
seconds
to setup. Is there some good general tuning I should try out?

Thanks
Tim=20

________________________________________
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]
On Behalf Of lusky@ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users@modssl.org
Cc: timl@midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server?=A0 are you =
running
ab from localhost?=A0 What options are you using with ab?
=A0
Most of the CPU cycles in each transaction are going to be spent in =
the=A0SSL
handshake.=A0 I just did a quick test=A0of one of my servers running =
1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for=A0HTTP, and 24=A0for HTTPS.=A0 I suspect that the latter may =
represent the
capabilities of my client machine rather than the server machine.
=A0
If you want fast SSL, you need hardware acceleration. 

________________________________________
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD =
6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that =
once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server =
can
process about 700 requests per second. Using SSL the number is in the =
13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows =
that
there are plenty of resources available. Any help would be appreciated.


Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: mod_ssl performance problems - FreeBSD

--0-2060053481-1174901925=:52396
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The cipher you allow will have a big impact on performance.

Tim Lovelace wrote: Thanks for the response. Altho=
ugh I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. Bot=
h
machines are small P3 2ghz boxes, the client side is running Ubuntu. They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 second=
s
to setup. Is there some good general tuning I should try out?

Thanks
Tim=20

________________________________________
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org=
]
On Behalf Of lusky@ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users@modssl.org
Cc: timl@midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server? are you runnin=
g
ab from localhost? What options are you using with ab?
=20
Most of the CPU cycles in each transaction are going to be spent in the S=
SL
handshake. I just did a quick test of one of my servers running 1.3.37 o=
n a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for HTTP, and 24 for HTTPS. I suspect that the latter may represent the
capabilities of my client machine rather than the server machine.
=20
If you want fast SSL, you need hardware acceleration. =20

________________________________________
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org=
]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEA=
SE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that on=
ce
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server c=
an
process about 700 requests per second. Using SSL the number is in the 13-=
15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows t=
hat
there are plenty of resources available. Any help would be appreciated.


Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


=20
---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
--0-2060053481-1174901925=:52396
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The cipher you allow will have a big impact on performance.

=
Tim Lovelace <timl@midsouth.rr.com> wrote:

=3D"replbq" style=3D"border-left: 2px solid rgb(16, 16, 255); margin-left=
: 5px; padding-left: 5px;"> Thanks for the response. Although I expected =
a pretty decent difference
between HTTP and HTTPS I didn=92t realize i=
t would be so significant. Both
machines are small P3 2ghz boxes, the =
client side is running Ubuntu. They
are connected to the same switch. =
For the ab options I am running

ab -n 1000 -c 100 =96s https://tar=
gethost

I can live with the low tps count assuming that the speed =
was a little
better. I have seen some of the initial connections take =
from 5-10 seconds
to setup. Is there some good general tuning I should=
try out?

Thanks
Tim

__________________________________=
______
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@=
modssl.org]
On Behalf Of
lusky@ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: mo=
dssl-users@modssl.org
Cc: timl@midsouth.rr.com
Subject: RE: mod_ssl=
performance problems - FreeBSD

What hardwre are you using for the=
client and the server?  are you running
ab from localhost? =
What options are you using with ab?
 
Most of the CPU cycles =
in each transaction are going to be spent in the SSL
handshake.&n=
bsp; I just did a quick test of one of my servers running 1.3.37 on =
a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps<=
br>for HTTP, and 24 for HTTPS.  I suspect that the latter =
may represent the
capabilities of my client machine rather than the se=
rver machine.
 
If you want fast SSL, you need hardware accele=
ration. 

________________________________________
From: o=
wner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org]
On=
Behalf Of Tim Lovelace
Sent:
Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject=
: mod_ssl performance problems - FreeBSD
Hello,

I am having som=
e issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I=
am currently running the following software

Server Version: Apach=
e/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.=
9.7e-p1

All built from ports. In testing of the web application I =
noticed that once
SSL was added the initial login to the site was slow=
ing down. I did some
testing using Apache Bench and have noticed that =
without SSL the server can
process about 700 requests per second. Usin=
g SSL the number is in the 13-15
range. I have tried changing a few pa=
rameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 i=
mprovement. Using server_status shows that
there are plenty of resourc=
es available. Any help would be
appreciated.


Tim

_____________________________________=
_________________________________
Apache Interface to OpenSSL (mod_ssl=
) www.modssl.org
User Support Mailing List =
modssl-users@modssl.org
Automated List Manager =
majordomo@modssl.org

RE: mod_ssl performance problems - FreeBSD

Thanks for the information. What would be the recommended SSLCipherSuite
settings to use? I would like to eliminate some of the lower security
options, but I am curious what set of clients that would affect. =
Originally
ports had added this line to httpd.conf

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

I then changed it to=20

SSLCipherSuite =
!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

And saw some huge performance changes. The TPS jumped from the 13-15 =
range
into the lower 60 range. Also the total transaction time dropped by more
than 2/3 of the original.


So overall I have changed these parameters -

SSLCipherSuite - see above, huge changes
SSLRandomSeed - changed from /dev/random to /dev/urandom
SSLSessionCacheTimeout - increased to 900 due to the time users will be =
in
the app. What is the tradeoff memory-wise?

Are there any other parameters that should be tuned? I have seen a lot =
about
the SSLMutex but I am not sure I understand the value of making that =
change.
Thanks again

Tim


________________________________________
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]
On Behalf Of a k
Sent: Monday, March 26, 2007 4:39 AM
To: modssl-users@modssl.org
Subject: RE: mod_ssl performance problems - FreeBSD

The cipher you allow will have a big impact on performance.

Tim Lovelace wrote:
Thanks for the response. Although I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. =
Both
machines are small P3 2ghz boxes, the client side is running Ubuntu. =
They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 =
seconds
to setup. Is there some good general tuning I should try out?

Thanks
Tim=20

________________________________________
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]
On Behalf Of lusky@ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users@modssl.org
Cc: timl@midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server?=A0 are you =
running
ab from localhost?=A0 What options are you using with ab?
=A0
Most of the CPU cycles in each transaction are going to be spent in =
the=A0SSL
handshake.=A0 I just did a quick test=A0of one of my servers running =
1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for=A0HTTP, and 24=A0for HTTPS.=A0 I suspect that the latter may =
represent the
capabilities of my client machine rather than the server machine.
=A0
If you want fast SSL, you need hardware acceleration. 

________________________________________
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users@modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD =
6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that =
once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server =
can
process about 700 requests per second. Using SSL the number is in the =
13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows =
that
there are plenty of resources available. Any help would be appreciated.


Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

=20
________________________________________
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org