Benchmarking ECDSA vs RSA certs and various ciphersuites

Server
#1

I’m trying to do some simple benchmarking of my website using the Apache Benchmark (ab) tool.

I’ve recently set up dual RSA and ECDSA certificates (from LE, of course!) and they seem to work fine.

The web server in question is pretty up-to-date (Raspbian Stretch, Nginx 1.13.3, OpenSSL 1.1.0f)… but being a Pi, its (ARM) CPU doesn’t support AES-NI instructions. My client for these tests is also a Pi, thus doesn’t have AES acceleration either, but should support ChaCha20-Poly1305 like the web server does - it’s using OpenSSL 1.1.0f just like the server.

ChaCha20-Poly1305 should be faster than AES in my case, I believe, but it’d be nice to put some numbers against that belief.

So, the four different ciphersuites that I’d like to compare are:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305

I can test the AES-GCM suites just fine using ab

The trouble is, I can’t get ‘ab’ to work properly with ChaCha20-Poly1305. When I try, I get errors like this:

pi@pi3:~ $ ab -l -n 1 -c 1 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
1996105440:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385:

I’m confused, because I thought ab just used whatever openssl was installed, and I’ve confirmed that my default OpenSSL does indeed support the ciphersuites that I’m attempting to test with:

pi@pi3:~ $ which openssl && openssl version
/usr/bin/openssl
OpenSSL 1.1.0f  25 May 2017
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
pi@pi3:~ $ openssl ciphers -v |grep ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD

Does anybody know how to test ChaCha20-Poly1305 using ab please?

#2

this question is probably best directed to a stackoverflow forum as it’s about testing rather than Let’s Encrypt certificates.

#3

Thanks @ahaw021. I’ve asked the same (well, very similar) question on Super User (as I thought I’d just get “but this isn’t programming” downvotes on SO)… but no responses yet, which disappointed me a bit. :frowning:

#4

yeah - had a look at the ab tool and you are right it does use openssl and yours seems to be configured correctly

https://github.com/apache/httpd/blob/0e6726ebaf7e508c474db27b6b33c844071bfc9d/support/ab.c is the source code if you want to go and have a dig

Andrei

#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.