mod_ssl performance problems

This is a multi-part message in MIME format.

------=_NextPart_000_008B_01C76EAA.570FD6E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server can
process about 700 requests per second. Using SSL the number is in the 13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows that
there are plenty of resources available. Any help would be appreciated.

Tim

------=_NextPart_000_008B_01C76EAA.570FD6E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>

</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

Hello,<o:p></o:p>

<o:p> </o:p>

I am having some issues with my SSL implementation on =
a
FreeBSD 6.2-RELEASE system. I am currently running the following =
software<o:p></o:p>

<o:p> </o:p>

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with =
Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1<o:p></o:p>

<o:p> </o:p>

All built from ports. In testing of the web application I =
noticed that
once SSL was added the initial login to the site was slowing down. I did =
some
testing using Apache Bench and have noticed that without SSL the server =
can
process about 700 requests per second. Using SSL the number is in the =
13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed, =
SSLSessionCache)
and have seen 0 improvement. Using server_status shows that there are =
plenty of
resources available. Any help would be =
appreciated.<o:p></o:p>

<o:p> </o:p>

<o:p> </o:p>

Tim<o:p></o:p>

</div>

</body>

</html>

------=_NextPart_000_008B_01C76EAA.570FD6E0--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

This is a multi-part message in MIME format.

------=_NextPart_000_071C_01C76ED7.199C0DB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

What hardwre are you using for the client and the server? are you running
ab from localhost? What options are you using with ab?

Most of the CPU cycles in each transaction are going to be spent in the SSL
handshake. I just did a quick test of one of my servers running 1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for
HTTP, and 24 for HTTPS. I suspect that the latter may represent the
capabilities of my client machine rather than the server machine.

If you want fast SSL, you need hardware acceleration.

_____

From: owner-modssl-users [at] modssl.org [mailto:owner-modssl-users [at] modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users [at] modssl.org
Subject: mod_ssl performance problems - FreeBSD

Hello,

I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server can
process about 700 requests per second. Using SSL the number is in the 13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows that
there are plenty of resources available. Any help would be appreciated.

Tim

------=_NextPart_000_071C_01C76ED7.199C0DB0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D
"urn:schemas-microsoft-com:office:office" xmlns:w =3D
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.3059" name=3DGENERATOR>
<STYLE> [at] page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV dir=3Dltr align=3Dleft>What hardwre are you using for the client and =
the
server? are you running ab from localhost? What options are =
you
using with ab?</DIV>
<DIV dir=3Dltr align=3Dleft> </DIV>
<DIV dir=3Dltr align=3Dleft>Most of the CPU cycles in each transaction =
are going to
be spent in the SSL handshake. I just did a quick =
test of one of
my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the =
client, and
saw about 5000rps for HTTP, and 24 for HTTPS. I suspect =
that the
latter may represent the capabilities of my client machine rather than =
the
server machine.</DIV>
<DIV dir=3Dltr align=3Dleft> </DIV>
<DIV dir=3Dltr align=3Dleft>If you want fast SSL, you need hardware
acceleration. </DIV> 
<BLOCKQUOTE dir=3Dltr
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
From: =
owner-modssl-users [at] modssl.org
[mailto:owner-modssl-users [at] modssl.org] On Behalf Of Tim
Lovelace Sent: Sunday, March 25, 2007 7:54 AM To:
modssl-users [at] modssl.org Subject: mod_ssl performance =
problems -
FreeBSD </DIV>
<DIV></DIV>
<DIV class=3DSection1>
Hello,<o:p></o:p>
<o:p> </o:p>
I am having some issues =
with my
SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently =
running the
following software<o:p></o:p>
<o:p> </o:p>
Server Version: Apache/1.3.37 (Unix) =
PHP/5.1.6 with
Suhosin-Patch mod_ssl/2.8.28 =
OpenSSL/0.9.7e-p1<o:p></o:p>
<o:p> </o:p>
All built from ports. In testing of the web
application I noticed that once SSL was added the initial login to the =
site
was slowing down. I did some testing using Apache Bench and have =
noticed that
without SSL the server can process about 700 requests per second. =
Using SSL
the number is in the 13-15 range. I have tried changing a few =
parameters (log
level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. =
Using
server_status shows that there are plenty of resources available. Any =
help
would be appreciated.<o:p></o:p>
<o:p> </o:p>
<o:p> </o:p>
Tim<o:p></o:p></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_071C_01C76ED7.199C0DB0--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Thanks for the response. Although I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. =
Both
machines are small P3 2ghz boxes, the client side is running Ubuntu. =
They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 =
seconds
to setup. Is there some good general tuning I should try out?

Thanks
Tim

________________________________________
From: owner-modssl-users [at] modssl.org =
[mailto:owner-modssl-users [at] modssl.org]
On Behalf Of lusky [at] ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users [at] modssl.org
Cc: timl [at] midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server?=A0 are you =
running
ab from localhost?=A0 What options are you using with ab?
=A0
Most of the CPU cycles in each transaction are going to be spent in =
the=A0SSL
handshake.=A0 I just did a quick test=A0of one of my servers running =
1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for=A0HTTP, and 24=A0for HTTPS.=A0 I suspect that the latter may =
represent the
capabilities of my client machine rather than the server machine.
=A0
If you want fast SSL, you need hardware acceleration.=A0

________________________________________
From: owner-modssl-users [at] modssl.org =
[mailto:owner-modssl-users [at] modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users [at] modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD =
6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that =
once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server =
can
process about 700 requests per second. Using SSL the number is in the =
13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows =
that
there are plenty of resources available. Any help would be appreciated.

Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

--0-2060053481-1174901925=:52396
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The cipher you allow will have a big impact on performance.

Tim Lovelace <timl [at] midsouth.rr.com> wrote: Thanks for the response. Altho=
ugh I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. Bot=
h
machines are small P3 2ghz boxes, the client side is running Ubuntu. They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 second=
s
to setup. Is there some good general tuning I should try out?

Thanks
Tim

________________________________________
From: owner-modssl-users [at] modssl.org [mailto:owner-modssl-users [at] modssl.org=
]
On Behalf Of lusky [at] ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users [at] modssl.org
Cc: timl [at] midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server? are you runnin=
g
ab from localhost? What options are you using with ab?

Most of the CPU cycles in each transaction are going to be spent in the S=
SL
handshake. I just did a quick test of one of my servers running 1.3.37 o=
n a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for HTTP, and 24 for HTTPS. I suspect that the latter may represent the
capabilities of my client machine rather than the server machine.

If you want fast SSL, you need hardware acceleration.

________________________________________
From: owner-modssl-users [at] modssl.org [mailto:owner-modssl-users [at] modssl.org=
]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users [at] modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEA=
SE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that on=
ce
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server c=
an
process about 700 requests per second. Using SSL the number is in the 13-=
15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows t=
hat
there are plenty of resources available. Any help would be appreciated.

Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
--0-2060053481-1174901925=:52396
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The cipher you allow will have a big impact on performance. =
Tim Lovelace <timl [at] midsouth.rr.com> wrote:<blockquote class=
=3D"replbq" style=3D"border-left: 2px solid rgb(16, 16, 255); margin-left=
: 5px; padding-left: 5px;"> Thanks for the response. Although I expected =
a pretty decent difference between HTTP and HTTPS I didn=92t realize i=
t would be so significant. Both machines are small P3 2ghz boxes, the =
client side is running Ubuntu. They are connected to the same switch. =
For the ab options I am running ab -n 1000 -c 100 =96s https://tar=
gethost I can live with the low tps count assuming that the speed =
was a little better. I have seen some of the initial connections take =
from 5-10 seconds to setup. Is there some good general tuning I should=
try out? Thanks Tim __________________________________=
______ From: owner-modssl-users [at] modssl.org [mailto:owner-modssl-users [at] =
modssl.org] On Behalf Of
lusky [at] ircd-hybrid.org Sent: Sunday, March 25, 2007 11:14 AM To: mo=
dssl-users [at] modssl.org Cc: timl [at] midsouth.rr.com Subject: RE: mod_ssl=
performance problems - FreeBSD What hardwre are you using for the=
client and the server? are you running ab from localhost? =
What options are you using with ab? Most of the CPU cycles =
in each transaction are going to be spent in the SSL handshake.&n=
bsp; I just did a quick test of one of my servers running 1.3.37 on =
a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps<=
br>for HTTP, and 24 for HTTPS. I suspect that the latter =
may represent the capabilities of my client machine rather than the se=
rver machine. If you want fast SSL, you need hardware accele=
ration. ________________________________________ From: o=
wner-modssl-users [at] modssl.org [mailto:owner-modssl-users [at] modssl.org] On=
Behalf Of Tim Lovelace Sent:
Sunday, March 25, 2007 7:54 AM To: modssl-users [at] modssl.org Subject=
: mod_ssl performance problems - FreeBSD Hello, I am having som=
e issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I=
am currently running the following software Server Version: Apach=
e/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.=
9.7e-p1 All built from ports. In testing of the web application I =
noticed that once SSL was added the initial login to the site was slow=
ing down. I did some testing using Apache Bench and have noticed that =
without SSL the server can process about 700 requests per second. Usin=
g SSL the number is in the 13-15 range. I have tried changing a few pa=
rameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 i=
mprovement. Using server_status shows that there are plenty of resourc=
es available. Any help would be
appreciated. Tim _____________________________________=
_________________________________ Apache Interface to OpenSSL (mod_ssl=
) www.modssl.org User Support Mailing List =
modssl-users [at] modssl.org Automated List Manager =
majordomo [at] modssl.org </blockquote> 

<hr size=3D1>TV dinner still cooling? <a href=3D"http://us.rd.yahoo.co=
m/evt=3D49979/*http://tv.yahoo.com/">Check out "Tonight's Picks"</a> on Y=
ahoo! TV.
--0-2060053481-1174901925=:52396--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Thanks for the information. What would be the recommended SSLCipherSuite
settings to use? I would like to eliminate some of the lower security
options, but I am curious what set of clients that would affect. =
Originally
ports had added this line to httpd.conf

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

I then changed it to

SSLCipherSuite =
!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

And saw some huge performance changes. The TPS jumped from the 13-15 =
range
into the lower 60 range. Also the total transaction time dropped by more
than 2/3 of the original.

So overall I have changed these parameters -

SSLCipherSuite - see above, huge changes
SSLRandomSeed - changed from /dev/random to /dev/urandom
SSLSessionCacheTimeout - increased to 900 due to the time users will be =
in
the app. What is the tradeoff memory-wise?

Are there any other parameters that should be tuned? I have seen a lot =
about
the SSLMutex but I am not sure I understand the value of making that =
change.
Thanks again

Tim

________________________________________
From: owner-modssl-users [at] modssl.org =
[mailto:owner-modssl-users [at] modssl.org]
On Behalf Of a k
Sent: Monday, March 26, 2007 4:39 AM
To: modssl-users [at] modssl.org
Subject: RE: mod_ssl performance problems - FreeBSD

The cipher you allow will have a big impact on performance.

Tim Lovelace <timl [at] midsouth.rr.com> wrote:
Thanks for the response. Although I expected a pretty decent difference
between HTTP and HTTPS I didn=92t realize it would be so significant. =
Both
machines are small P3 2ghz boxes, the client side is running Ubuntu. =
They
are connected to the same switch. For the ab options I am running

ab -n 1000 -c 100 =96s https://targethost

I can live with the low tps count assuming that the speed was a little
better. I have seen some of the initial connections take from 5-10 =
seconds
to setup. Is there some good general tuning I should try out?

Thanks
Tim

________________________________________
From: owner-modssl-users [at] modssl.org =
[mailto:owner-modssl-users [at] modssl.org]
On Behalf Of lusky [at] ircd-hybrid.org
Sent: Sunday, March 25, 2007 11:14 AM
To: modssl-users [at] modssl.org
Cc: timl [at] midsouth.rr.com
Subject: RE: mod_ssl performance problems - FreeBSD

What hardwre are you using for the client and the server?=A0 are you =
running
ab from localhost?=A0 What options are you using with ab?
=A0
Most of the CPU cycles in each transaction are going to be spent in =
the=A0SSL
handshake.=A0 I just did a quick test=A0of one of my servers running =
1.3.37 on a
dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps
for=A0HTTP, and 24=A0for HTTPS.=A0 I suspect that the latter may =
represent the
capabilities of my client machine rather than the server machine.
=A0
If you want fast SSL, you need hardware acceleration.=A0

________________________________________
From: owner-modssl-users [at] modssl.org =
[mailto:owner-modssl-users [at] modssl.org]
On Behalf Of Tim Lovelace
Sent: Sunday, March 25, 2007 7:54 AM
To: modssl-users [at] modssl.org
Subject: mod_ssl performance problems - FreeBSD
Hello,

I am having some issues with my SSL implementation on a FreeBSD =
6.2-RELEASE
system. I am currently running the following software

Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch
mod_ssl/2.8.28 OpenSSL/0.9.7e-p1

All built from ports. In testing of the web application I noticed that =
once
SSL was added the initial login to the site was slowing down. I did some
testing using Apache Bench and have noticed that without SSL the server =
can
process about 700 requests per second. Using SSL the number is in the =
13-15
range. I have tried changing a few parameters (log level, SSLRandomSeed,
SSLSessionCache) and have seen 0 improvement. Using server_status shows =
that
there are plenty of resources available. Any help would be appreciated.

Tim

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

________________________________________
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org