On 3/5/08, Simon Josefsson <address@hidden> wrote:
All,
I've created a wiki page to explain how to benchmark mod_gnutls vs
mod_ssl with apache2 using only official debian packages.
http://trac.gnutls.org/cgi-bin/trac.cgi/wiki/BenchmarkingModGnuTLS
The initial results place mod_gnutls at 50-75% of the performance of
mod_ssl, which was higher than what I would have guessed. We haven't
done any organized optimizations.
Results from other architectures or operating systems are very welcome.
Just add the output at the end of the page, under a new 'Results from X'
heading.
One interesting behaviour I noticed when running the tests was that with
mod_ssl, the exchanged TCP packets as seen in wireshark were:
-> client hello
<- server hello, certificate, server key exchange, server hello done
-> client key exchange, change cipher spec, encrypted handshake message
<- change cipher spec, encrypted handshake message
...
but with gnutls we have:
-> client hello
<- server hello
<- certificate
<- server key exchange
<- server hello done
->client key exchange, change cipher spec, encrypted handshake message
<- change cipher spec
<- encrypted handshake message
In other words, gnutls sends each TLS packet in a separate TCP packet.
This may have some impact on performance, but it is too early to tell
for sure.
This might be a bug in mod_gnutls -- we might want to add some smarter buffering / picking when we do a flush(). Right now I believe we try to flush every time gnutls says there is data to send.
It also would be nice if the gnutls API had a better way to say "flush", rather than just "here is data", although the current API is simple :-)
-Paul
/Simon
_______________________________________________
Gnutls-devel mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/gnutls-devel