Re: [load balancing] Verisign and Load Balancers

From: Eric Gray (
Date: Wed Feb 21 2001 - 12:47:37 EST

  • Next message: Alex Samonte: "Re: [load balancing] Verisign and Load Balancers"

    On Wed, Feb 21, 2001 at 09:01:01AM -0800, Titus, Tim wrote:
    > All of this talk about SSL connections and it makes me wonder:
    > What kind of SSL load testing software is there out there?
    > -Tim Titus------------------------------
    > Director, Internet Operations, NCS Learn
    > -----<>-----------------

    I like http_load for both http and https:

    It compiles easily with OpenSSL. However, it is important to note that
    because it's using OpenSSL, it supports a LOT of cipher suites. More
    than a typical web browser.

    So what? Well, it will probably not give accurate results if you are
    not using a cipher suite that IE or Netscape would negotiate.

    For example, if you have a server also based on OpenSSL (such as
    mod_ssl), http_load will negotiate the following cipher:


    The "DH" is for Diffie-Hellman, which is up to 10 times more expensive
    than an RSA handshake. If you load test something with this cipher, it
    will give very poor performance.

    Supported ciphers can be configured on the server side, which may be
    something to consider.

    Another example is Apache-SSL, although it uses OpenSSL the default
    configuration negotiates:


    Depending on the browser and which SSL versions are enabled, a number of
    ciphers could be used:


    That list is just a sample of some actual client server SSL captures I
    did recently. The point is it actually makes a big difference in the

    Another thing to consider if you are load testing is SSL session
    caching. We have found that not using caching gives higher performance
    in lab tests. Main reason is that the load client used does not reuse
    sessions. Each request is a new handshake. The caching is just
    overhead on the server. BUT in the real world, the caching would be
    significant, as each new request would not necessarily need to do a

    I realize that we are quite off the topic of load balancing, but if you
    are interested in SSL, take a look at Eric Rescorla's book. He has a
    web site here: and the ssldump tool is


    This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 12:49:36 EST