benchmarking mod_gnutls vs mod_ssl

Paul Querna chip at corelands.com
Thu Mar 6 23:43:59 CET 2008 

On 3/5/08, Simon Josefsson <simon at josefsson.org> wrote:
>
> All,
>
> I've created a wiki page to explain how to benchmark mod_gnutls vs
> mod_ssl with apache2 using only official debian packages.
>
> http://trac.gnutls.org/cgi-bin/trac.cgi/wiki/BenchmarkingModGnuTLS
>
> The initial results place mod_gnutls at 50-75% of the performance of
> mod_ssl, which was higher than what I would have guessed.  We haven't
> done any organized optimizations.
>
> Results from other architectures or operating systems are very welcome.
> Just add the output at the end of the page, under a new 'Results from X'
> heading.
>
> One interesting behaviour I noticed when running the tests was that with
> mod_ssl, the exchanged TCP packets as seen in wireshark were:
>
> -> client hello
> <- server hello, certificate, server key exchange, server hello done
> -> client key exchange, change cipher spec, encrypted handshake message
> <- change cipher spec, encrypted handshake message
> ...
>
> but with gnutls we have:
>
> -> client hello
> <- server hello
> <- certificate
> <- server key exchange
> <- server hello done
> ->client key exchange, change cipher spec, encrypted handshake message
> <- change cipher spec
> <- encrypted handshake message
>
> In other words, gnutls sends each TLS packet in a separate TCP packet.
> This may have some impact on performance, but it is too early to tell
> for sure.



This might be a bug in mod_gnutls -- we might want to add some smarter
buffering / picking when we do a flush(). Right now I believe we try to
flush every time gnutls says there is data to send.


It also would be nice if the gnutls API had a better way to say "flush",
rather than just "here is data", although the current API is simple :-)

-Paul



/Simon
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080306/84d66581/attachment.htm>

More information about the Gnutls-devel mailing list