benchmarking mod_gnutls vs mod_ssl
chip at corelands.com
Thu Mar 6 23:43:59 CET 2008
On 3/5/08, Simon Josefsson <simon at josefsson.org> wrote:
> I've created a wiki page to explain how to benchmark mod_gnutls vs
> mod_ssl with apache2 using only official debian packages.
> The initial results place mod_gnutls at 50-75% of the performance of
> mod_ssl, which was higher than what I would have guessed. We haven't
> done any organized optimizations.
> Results from other architectures or operating systems are very welcome.
> Just add the output at the end of the page, under a new 'Results from X'
> One interesting behaviour I noticed when running the tests was that with
> mod_ssl, the exchanged TCP packets as seen in wireshark were:
> -> client hello
> <- server hello, certificate, server key exchange, server hello done
> -> client key exchange, change cipher spec, encrypted handshake message
> <- change cipher spec, encrypted handshake message
> but with gnutls we have:
> -> client hello
> <- server hello
> <- certificate
> <- server key exchange
> <- server hello done
> ->client key exchange, change cipher spec, encrypted handshake message
> <- change cipher spec
> <- encrypted handshake message
> In other words, gnutls sends each TLS packet in a separate TCP packet.
> This may have some impact on performance, but it is too early to tell
> for sure.
This might be a bug in mod_gnutls -- we might want to add some smarter
buffering / picking when we do a flush(). Right now I believe we try to
flush every time gnutls says there is data to send.
It also would be nice if the gnutls API had a better way to say "flush",
rather than just "here is data", although the current API is simple :-)
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel