Impact of SSL

Impact of SSL

am 14.11.2007 10:42:35 von Chris M

Hello all,

I administer servers that run a busy web application. The IIS servers
are load balanced, currently Windows 2000 Advanced Server but upgrading
to 2003 very soon.

At the moment, only the login process is always secured. A fully SSL
secured session is an optional extra that the user can choose at logon.

We're looking to move to forcing SSL across the whole application and
removing the possibility of a plain HTTP session.

We need to be sure that we still have the capacity to cope after the
switchover. Does anyone know what kind of performance/capacity impact
this might have on our webservers? I guess it's probably hard to gague
without some kind of stress testing tool - can anyone recommend anything?

Thanks in advance,

--
Chris M.

Remove pants to email me.

Re: Impact of SSL

am 15.11.2007 05:47:34 von Ken Schaefer

With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves the
most expensive part of the SSL/TLS process (the handshake) into kernel mode,
and removes a number of context switches between user mode (LSASS) and
kernel mode (http.sys). With that, you can expect about a 10% degradation in
performance. That number varies depending on how long your key lengths are
(stronger keys = more overhead), and what ratio of session setup /
established sessiont traffic you have.

If you are running into performance issues, yuo could just add another box.
Or look at an SSL offloading device to place in front of your servers.

Cheers
Ken

"Chris M" wrote in message
news:fheg0t$tra$1@aioe.org...
>
> Hello all,
>
> I administer servers that run a busy web application. The IIS servers are
> load balanced, currently Windows 2000 Advanced Server but upgrading to
> 2003 very soon.
>
> At the moment, only the login process is always secured. A fully SSL
> secured session is an optional extra that the user can choose at logon.
>
> We're looking to move to forcing SSL across the whole application and
> removing the possibility of a plain HTTP session.
>
> We need to be sure that we still have the capacity to cope after the
> switchover. Does anyone know what kind of performance/capacity impact this
> might have on our webservers? I guess it's probably hard to gague without
> some kind of stress testing tool - can anyone recommend anything?
>
> Thanks in advance,
>
> --
> Chris M.
>
> Remove pants to email me.

Re: Impact of SSL

am 15.11.2007 05:47:34 von Ken Schaefer

With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves the
most expensive part of the SSL/TLS process (the handshake) into kernel mode,
and removes a number of context switches between user mode (LSASS) and
kernel mode (http.sys). With that, you can expect about a 10% degradation in
performance. That number varies depending on how long your key lengths are
(stronger keys = more overhead), and what ratio of session setup /
established sessiont traffic you have.

If you are running into performance issues, yuo could just add another box.
Or look at an SSL offloading device to place in front of your servers.

Cheers
Ken

"Chris M" wrote in message
news:fheg0t$tra$1@aioe.org...
>
> Hello all,
>
> I administer servers that run a busy web application. The IIS servers are
> load balanced, currently Windows 2000 Advanced Server but upgrading to
> 2003 very soon.
>
> At the moment, only the login process is always secured. A fully SSL
> secured session is an optional extra that the user can choose at logon.
>
> We're looking to move to forcing SSL across the whole application and
> removing the possibility of a plain HTTP session.
>
> We need to be sure that we still have the capacity to cope after the
> switchover. Does anyone know what kind of performance/capacity impact this
> might have on our webservers? I guess it's probably hard to gague without
> some kind of stress testing tool - can anyone recommend anything?
>
> Thanks in advance,
>
> --
> Chris M.
>
> Remove pants to email me.

Re: Impact of SSL

am 15.11.2007 10:25:18 von Chris M

Ken Schaefer wrote:
> With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves
> the most expensive part of the SSL/TLS process (the handshake) into
> kernel mode, and removes a number of context switches between user mode
> (LSASS) and kernel mode (http.sys). With that, you can expect about a
> 10% degradation in performance. That number varies depending on how long
> your key lengths are (stronger keys = more overhead), and what ratio of
> session setup / established sessiont traffic you have.
>
> If you are running into performance issues, yuo could just add another
> box. Or look at an SSL offloading device to place in front of your servers.
>
> Cheers
> Ken

Thanks Ken,

I'll be looking at hardware SSL devices today to see what sort of cost
we should expect.

Cheers,

Chris.


> "Chris M" wrote in message
> news:fheg0t$tra$1@aioe.org...
>>
>> Hello all,
>>
>> I administer servers that run a busy web application. The IIS servers
>> are load balanced, currently Windows 2000 Advanced Server but
>> upgrading to 2003 very soon.
>>
>> At the moment, only the login process is always secured. A fully SSL
>> secured session is an optional extra that the user can choose at logon.
>>
>> We're looking to move to forcing SSL across the whole application and
>> removing the possibility of a plain HTTP session.
>>
>> We need to be sure that we still have the capacity to cope after the
>> switchover. Does anyone know what kind of performance/capacity impact
>> this might have on our webservers? I guess it's probably hard to gague
>> without some kind of stress testing tool - can anyone recommend anything?
>>
>> Thanks in advance,

Re: Impact of SSL

am 15.11.2007 10:25:18 von Chris M

Ken Schaefer wrote:
> With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves
> the most expensive part of the SSL/TLS process (the handshake) into
> kernel mode, and removes a number of context switches between user mode
> (LSASS) and kernel mode (http.sys). With that, you can expect about a
> 10% degradation in performance. That number varies depending on how long
> your key lengths are (stronger keys = more overhead), and what ratio of
> session setup / established sessiont traffic you have.
>
> If you are running into performance issues, yuo could just add another
> box. Or look at an SSL offloading device to place in front of your servers.
>
> Cheers
> Ken

Thanks Ken,

I'll be looking at hardware SSL devices today to see what sort of cost
we should expect.

Cheers,

Chris.


> "Chris M" wrote in message
> news:fheg0t$tra$1@aioe.org...
>>
>> Hello all,
>>
>> I administer servers that run a busy web application. The IIS servers
>> are load balanced, currently Windows 2000 Advanced Server but
>> upgrading to 2003 very soon.
>>
>> At the moment, only the login process is always secured. A fully SSL
>> secured session is an optional extra that the user can choose at logon.
>>
>> We're looking to move to forcing SSL across the whole application and
>> removing the possibility of a plain HTTP session.
>>
>> We need to be sure that we still have the capacity to cope after the
>> switchover. Does anyone know what kind of performance/capacity impact
>> this might have on our webservers? I guess it's probably hard to gague
>> without some kind of stress testing tool - can anyone recommend anything?
>>
>> Thanks in advance,

Re: Impact of SSL

am 16.11.2007 15:53:59 von DaveMo

On Nov 14, 8:47 pm, "Ken Schaefer"
wrote:
> With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves the
> most expensive part of the SSL/TLS process (the handshake) into kernel mode,
> and removes a number of context switches between user mode (LSASS) and
> kernel mode (http.sys). With that, you can expect about a 10% degradation in
> performance. That number varies depending on how long your key lengths are
> (stronger keys = more overhead), and what ratio of session setup /
> established sessiont traffic you have.
>
> If you are running into performance issues, yuo could just add another box.
> Or look at an SSL offloading device to place in front of your servers.
>
> Cheers
> Ken
>
> "Chris M" wrote in message
>
> news:fheg0t$tra$1@aioe.org...
>
>
>
>
>
> > Hello all,
>
> > I administer servers that run a busy web application. The IIS servers are
> > load balanced, currently Windows 2000 Advanced Server but upgrading to
> > 2003 very soon.
>
> > At the moment, only the login process is always secured. A fully SSL
> > secured session is an optional extra that the user can choose at logon.
>
> > We're looking to move to forcing SSL across the whole application and
> > removing the possibility of a plain HTTP session.
>
> > We need to be sure that we still have the capacity to cope after the
> > switchover. Does anyone know what kind of performance/capacity impact this
> > might have on our webservers? I guess it's probably hard to gague without
> > some kind of stress testing tool - can anyone recommend anything?
>
> > Thanks in advance,
>
> > --
> > Chris M.
>
> > Remove pants to email me.- Hide quoted text -
>
> - Show quoted text -

I did a series of tests back in 2003 on Server 2003 and measured the
perf impact of encrypting the data stream as something around 5%. This
is pure CPU overhead as there was no other measurable or observed
impact. This discounts the cost of doing the handshake, but that
matches your scenario since you are doing the handshake already during
authentication.

HTH,
Dave