Re: [load balancing] Verisign and Load Balancers

From: Eric Gray (egrayIZZATsitesmith.com)
Date: Wed Feb 21 2001 - 12:47:37 EST

Next message: Alex Samonte: "Re: [load balancing] Verisign and Load Balancers"

Previous message: Titus, Tim: "RE: [load balancing] Verisign and Load Balancers"
In reply to: Titus, Tim: "RE: [load balancing] Verisign and Load Balancers"
Next in thread: Steve Reppucci: "Re: [load balancing] Verisign and Load Balancers"
Next in thread: Tim Nelson: "RE: [load balancing] Verisign and Load Balancers"
Reply: Steve Reppucci: "Re: [load balancing] Verisign and Load Balancers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 21, 2001 at 09:01:01AM -0800, Titus, Tim wrote:
> All of this talk about SSL connections and it makes me wonder:
>
> What kind of SSL load testing software is there out there?
>
>
> -Tim Titus------------------------------
> Director, Internet Operations, NCS Learn
> -----<www.NCSlearn.com>-----------------
>

I like http_load for both http and https:

http://www.acme.com/software/http_load/

It compiles easily with OpenSSL. However, it is important to note that
because it's using OpenSSL, it supports a LOT of cipher suites. More
than a typical web browser.

So what? Well, it will probably not give accurate results if you are
not using a cipher suite that IE or Netscape would negotiate.

For example, if you have a server also based on OpenSSL (such as
mod_ssl), http_load will negotiate the following cipher:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

The "DH" is for Diffie-Hellman, which is up to 10 times more expensive
than an RSA handshake. If you load test something with this cipher, it
will give very poor performance.

Supported ciphers can be configured on the server side, which may be
something to consider.

Another example is Apache-SSL, although it uses OpenSSL the default
configuration negotiates:

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Depending on the browser and which SSL versions are enabled, a number of
ciphers could be used:

SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

That list is just a sample of some actual client server SSL captures I
did recently. The point is it actually makes a big difference in the
performance.

Another thing to consider if you are load testing is SSL session
caching. We have found that not using caching gives higher performance
in lab tests. Main reason is that the load client used does not reuse
sessions. Each request is a new handshake. The caching is just
overhead on the server. BUT in the real world, the caching would be
significant, as each new request would not necessarily need to do a
handshake.

I realize that we are quite off the topic of load balancing, but if you
are interested in SSL, take a look at Eric Rescorla's book. He has a
web site here: http://www.rtfm.com/sslbook/ and the ssldump tool is
handy.

Eric

Next message: Alex Samonte: "Re: [load balancing] Verisign and Load Balancers"
Previous message: Titus, Tim: "RE: [load balancing] Verisign and Load Balancers"
In reply to: Titus, Tim: "RE: [load balancing] Verisign and Load Balancers"
Next in thread: Steve Reppucci: "Re: [load balancing] Verisign and Load Balancers"
Next in thread: Tim Nelson: "RE: [load balancing] Verisign and Load Balancers"
Reply: Steve Reppucci: "Re: [load balancing] Verisign and Load Balancers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 12:49:36 EST