I’m trying to do some simple benchmarking of my website using the Apache Benchmark (ab
) tool.
I’ve recently set up dual RSA and ECDSA certificates (from LE, of course!) and they seem to work fine.
The web server in question is pretty up-to-date (Raspbian Stretch, Nginx 1.13.3, OpenSSL 1.1.0f)… but being a Pi, its (ARM) CPU doesn’t support AES-NI instructions. My client for these tests is also a Pi, thus doesn’t have AES acceleration either, but should support ChaCha20-Poly1305 like the web server does - it’s using OpenSSL 1.1.0f just like the server.
ChaCha20-Poly1305 should be faster than AES in my case, I believe, but it’d be nice to put some numbers against that belief.
So, the four different ciphersuites that I’d like to compare are:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
I can test the AES-GCM suites just fine using ab
…
The trouble is, I can’t get ‘ab’ to work properly with ChaCha20-Poly1305. When I try, I get errors like this:
pi@pi3:~ $ ab -l -n 1 -c 1 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
1996105440:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385:
I’m confused, because I thought ab
just used whatever openssl was installed, and I’ve confirmed that my default OpenSSL does indeed support the ciphersuites that I’m attempting to test with:
pi@pi3:~ $ which openssl && openssl version
/usr/bin/openssl
OpenSSL 1.1.0f 25 May 2017
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
Does anybody know how to test ChaCha20-Poly1305 using ab
please?