On Wed, Feb 21, 2001 at 09:01:01AM -0800, Titus, Tim wrote:
> All of this talk about SSL connections and it makes me wonder:
> What kind of SSL load testing software is there out there?
> -Tim Titus------------------------------
> Director, Internet Operations, NCS Learn
I like http_load for both http and https:
It compiles easily with OpenSSL. However, it is important to note that
because it's using OpenSSL, it supports a LOT of cipher suites. More
than a typical web browser.
So what? Well, it will probably not give accurate results if you are
not using a cipher suite that IE or Netscape would negotiate.
For example, if you have a server also based on OpenSSL (such as
mod_ssl), http_load will negotiate the following cipher:
The "DH" is for Diffie-Hellman, which is up to 10 times more expensive
than an RSA handshake. If you load test something with this cipher, it
will give very poor performance.
Supported ciphers can be configured on the server side, which may be
something to consider.
Another example is Apache-SSL, although it uses OpenSSL the default
Depending on the browser and which SSL versions are enabled, a number of
ciphers could be used:
That list is just a sample of some actual client server SSL captures I
did recently. The point is it actually makes a big difference in the
Another thing to consider if you are load testing is SSL session
caching. We have found that not using caching gives higher performance
in lab tests. Main reason is that the load client used does not reuse
sessions. Each request is a new handshake. The caching is just
overhead on the server. BUT in the real world, the caching would be
significant, as each new request would not necessarily need to do a
I realize that we are quite off the topic of load balancing, but if you
are interested in SSL, take a look at Eric Rescorla's book. He has a
web site here: http://www.rtfm.com/sslbook/ and the ssldump tool is
This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 12:49:36 EST