[erlang-questions] Erlang accepting SSL connection is really slow (comparing to C++)

Andreas Schultz <>
Tue Apr 10 20:55:23 CEST 2012


Hi,

----- Original Message -----
> Hi Ali,
> 
> It is indeed.
> Cipher    : DHE-RSA-AES256-SHA
>
> What would be the fastest Cipher, knowing that I don't really care
> about 128 or 256 encoding.

The cipher might be the fastest, but DHE = Ephermal-Diffi-Hellman key exchange,
that is about the slowest way to establish an SSL session. Remember, ssl_accept
does the full SSL handshake. C (OpenSSL) based implementation might delay the
full handshake until you do something else with the connection.

>From the OpenSSL ssl_accept man page:

> If the underlying BIO is blocking, SSL_accept() will only return once the handshake has been finished or an error occurred, except for SGC (Server Gated Cryptography). For
> SGC, SSL_accept() may return with -1, but SSL_get_error() will yield SSL_ERROR_WANT_READ/WRITE and SSL_accept() should be called again.

If I remember correctly, Erlang might generate DH primes even when you are
not using a DH suite and be therefore not faster, but that could be changed.

The only drawback is, that with a non-DH cipher suite a recorded encrypted
session can be decrypted when an attacker gets access to the servers private
key, with DH suites that is not possible.

Andreas

> 
> And How can I change the Cipher on the SSL options ?
> 
> Le 10 avr. 2012 à 18:50, Ali Sabil a écrit :
> 
> > Hi Morgan,
> > 
> > Did you check which cipher is being used in your c++ server vs the
> > erlang server? DHE ciphers are notably slow.
> > 
> > You can check which cipher suite is being used with:
> >    openssl s_client -host HOST -port PORT
> > 
> > On Tue, Apr 10, 2012 at 6:19 PM, Morgan Segalis
> > <> wrote:
> >> Hi Loïc,
> >> 
> >> That's what I was afraid of.
> >> 
> >> Then what would be the best workaround in order to outcome this
> >> slowness of Erlang's SSL ?
> >> Using a C++ Driver ? would that be even possible to pass a Socket
> >> to the driver for it to upgrade it into a SSL one ?
> >> 
> >> Thanks.
> >> 
> >> Le 10 avr. 2012 à 17:56, Loïc Hoguin a écrit :
> >> 
> >>> Hello!
> >>> 
> >>> On 04/10/2012 05:27 PM, SEGALIS Morgan wrote:
> >>> [...]
> >>>> While it will take 10 second to a ssl accepting bit of C++ code
> >>>> to accept
> >>>> all of them (which don't even have multiple accept pending), in
> >>>> Erlang this
> >>>> is quite different. It will accept at most 20 connections a
> >>>> second
> >>>> (according to netstat info, whilst C++ accept more like 1K
> >>>> connection per
> >>>> seconds)
> >>>> 
> >>>> While the 10K connections are awaiting for acceptance, I'm
> >>>> manually trying
> >>>> to connect as well.
> >>>> 
> >>>>     openssl s_client -ssl3 -ign_eof -connect myserver.com:4242
> >>>> 
> >>>> 3 cases happen when I do :
> >>>> 
> >>>>  - Connection simply timeout
> >>>>  - Connection will connect after waiting for it 30 sec. at least
> >>>>  - Connection will occur almost directly
> >>> 
> >>> The OTP SSL code is just very slow, and AFAIK the reason for this
> >>> is that it's done in full Erlang. Here's a quick and dirty
> >>> comparison between HTTP and HTTPS in Cowboy, where only the
> >>> transport used differs:
> >>> 
> >>> HTTP:
> >>> 
> >>> % siege -b -c 100 http://localhost:8080/
> >>> ** SIEGE 2.70
> >>> ** Preparing 100 concurrent users for battle.
> >>> The server is now under siege...^C
> >>> Lifting the server siege...      done.
> >>> Transactions:                49266 hits
> >>> Availability:               100.00 %
> >>> Elapsed time:                 5.94 secs
> >>> Data transferred:             0.56 MB
> >>> Response time:                        0.01 secs
> >>> Transaction rate:          8293.94 trans/sec
> >>> Throughput:                   0.09 MB/sec
> >>> Concurrency:                 99.36
> >>> Successful transactions:       49266
> >>> Failed transactions:             0
> >>> Longest transaction:          0.06
> >>> Shortest transaction:         0.00
> >>> 
> >>> HTTPS:
> >>> 
> >>> % siege -b -c 100 https://localhost:8443/
> >>> ** SIEGE 2.70
> >>> ** Preparing 100 concurrent users for battle.
> >>> The server is now under siege...^C
> >>> Lifting the server siege...      done.
> >>> Transactions:                  698 hits
> >>> Availability:               100.00 %
> >>> Elapsed time:                 4.50 secs
> >>> Data transferred:             0.01 MB
> >>> Response time:                        0.59 secs
> >>> Transaction rate:           155.11 trans/sec
> >>> Throughput:                   0.00 MB/sec
> >>> Concurrency:                 92.15
> >>> Successful transactions:         698
> >>> Failed transactions:             0
> >>> Longest transaction:          1.14
> >>> Shortest transaction:         0.07
> >>> 
> >>> This is on a Zenbook UX31E which is a damn good machine but it
> >>> still shows a huge difference between both of them. And the more
> >>> you try to accept at the same time, the longest time it can take
> >>> to accept.
> >>> 
> >>> --
> >>> Loïc Hoguin
> >>> Erlang Cowboy
> >>> Nine Nines
> >> 
> >> _______________________________________________
> >> erlang-questions mailing list
> >> 
> >> http://erlang.org/mailman/listinfo/erlang-questions
> 
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------




More information about the erlang-questions mailing list