How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

Matt Holdsworth
I'm trying to use 'ab' to do some performance benchmarks of my website after having made some performance tweaks.

Specifically, I'd like to test the difference in performance between the following cipher suites - all supported by my website:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305

The three commands that I've tried are:

ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-RSA-AES128-GCM-SHA256 https://bytes.fyi/
ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-AES128-GCM-SHA256 https://bytes.fyi/
ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/

The first two work fine, but the third generates the following error:

error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
1995798240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385:
I think my versions of ab and openssl are both up-to-date enough to support the test:

pi@pi3:~ $ which ab && ab -V
/usr/bin/ab
This is ApacheBench, Version 2.3 <$Revision: 1757674 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

pi@pi3:~ $ which openssl && openssl version
/usr/bin/openssl
OpenSSL 1.1.0f  25 May 2017

The docs for Apache Benchmark don't give much detail on how to check/modify the available cipher suites that can be specified:

-Z ciphersuite
Specify SSL/TLS cipher suite (See openssl ciphers)

I think the above implies that I should be able to use any of the cipher suites listed by the openssl ciphers command?

All three of my target cipher suites are indeed listed, so I'm confused why my ab test is failing for the ECDHE-ECDSA-CHACHA20-POLY1305 suite.

Any tips would be much appreciated!

Btw, I asked the same question on superuser.com, here:

https://superuser.com/questions/1231720/how-to-benchmark-chacha20-poly1305-capable-websites-using-apache-benchmark-ab

Cheers,

Matt
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

Konstantin Kolinko
2017-07-25 14:52 GMT+03:00 Matt Holdsworth <[hidden email]>:

> I'm trying to use 'ab' to do some performance benchmarks of my website after having made some performance tweaks.
>
> Specifically, I'd like to test the difference in performance between the following cipher suites - all supported by my website:
>
> ECDHE-RSA-AES128-GCM-SHA256
> ECDHE-ECDSA-AES128-GCM-SHA256
> ECDHE-ECDSA-CHACHA20-POLY1305
>
> The three commands that I've tried are:
>
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-RSA-AES128-GCM-SHA256 https://bytes.fyi/
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-AES128-GCM-SHA256 https://bytes.fyi/
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
>
> The first two work fine, but the third generates the following error:
>
> error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
> 1995798240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385:
> I think my versions of ab and openssl are both up-to-date enough to support the test:
>
> pi@pi3:~ $ which ab && ab -V
> /usr/bin/ab
> This is ApacheBench, Version 2.3 <$Revision: 1757674 $>

1. Looking at http://svn.apache.org/r1757674
(Thu Aug 25 12:53:03 2016 UTC)
and history of httpd/httpd/branches/2.4.x/support/ab.c file that was
changed in that revision,

I think your version of AB does not support OpenSSL 1.1.0 at all,
as support for 1.1.0 was added by later revisions of that file,

http://svn.apache.org/viewvc?view=revision&revision=1787728
"Support OpenSSL 1.1.0"


> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> pi@pi3:~ $ which openssl && openssl version
> /usr/bin/openssl
> OpenSSL 1.1.0f  25 May 2017
>
> The docs for Apache Benchmark don't give much detail on how to check/modify the available cipher suites that can be specified:
>
> -Z ciphersuite
> Specify SSL/TLS cipher suite (See openssl ciphers)

2. Maybe it is also worth to try "-f TLS1.2". Though as the two other
ciphers work, maybe you do not need it.
https://httpd.apache.org/docs/2.4/programs/ab.html


> I think the above implies that I should be able to use any of the cipher suites listed by the openssl ciphers command?
>
> All three of my target cipher suites are indeed listed, so I'm confused why my ab test is failing for the ECDHE-ECDSA-CHACHA20-POLY1305 suite.
>
> Any tips would be much appreciated!
>
> Btw, I asked the same question on superuser.com, here:
>
> https://superuser.com/questions/1231720/how-to-benchmark-chacha20-poly1305-capable-websites-using-apache-benchmark-ab
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

Matt Holdsworth
> 1. Looking at http://svn.apache.org/r1757674 (Thu Aug 25 12:53:03 2016 UTC) and history of
> httpd/httpd/branches/2.4.x/support/ab.c file that was changed in that revision,

> I think your version of AB does not support OpenSSL 1.1.0 at all, as support for 1.1.0 was added by later revisions of that file,

> http://svn.apache.org/viewvc?view=revision&revision=1787728
> "Support OpenSSL 1.1.0"

Thanks Konstantin.  I guess I should try to build a more recent version from source in that case...

Are there any guides/tutorials that you can recommend re: building 'ab' from source please?

Thanks,

Matt


Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

Matt Holdsworth
I finally muddled my way through building the latest httpd trunk code (I couldn't work out if/how it's possible to just build ab without the rest of httpd), so now have a version of 'ab' which supports testing of ChaCha20-Poly1305. :)

In case it's useful to anybody else, here are the steps I used:

# apply any updates and install pre-requisites
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install libapr1 libapr1-dev libaprutil1 libaprutil1-dev libpcre3 libpcre3-dev subversion autoconf libtool libtool-bin

# move to home folder and create a folder where to build into
cd ~
mkdir httpd-install

# get the latest source and unzip it (to ~/httpd-trunk)
wget https://github.com/apache/httpd/archive/trunk.zip
unzip trunk.zip
cd httpd-trunk

# get the latest APR source and put it in '[httpd source root]/srclib/apr' (required for the build)
svn co http://svn.apache.org/repos/asf/apr/apr/trunk srclib/apr

# configure the things
chmod +x buildconf
./buildconf
./configure --prefix=/home/pi/httpd-install/ --with-included-apr

# make and install
make
make install

# create a symlink to our bleeding-edge version of ab, so we can just call it using 'ab'
sudo ln -s /home/pi/httpd-latest-install/bin/ab /usr/bin/ab


Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Loading...