[erlang-questions] New ssl vs Google Chrome

[Per Hedeland]

Ingela Andin <ingela.andin@REDACTED> wrote:
>
>We will have to look into this more, as a start see comments below:

Thanks!

>crypto:mpint/1 ofcourse is an overhad that could somehow be worked out
>of the equation.

The three calls in public_key:sign/3 add upp to about a millisecond on
my slow test system.

>I tried it with a big key on my machine but does not appear to make such a big
>difference that it does for you.

Right, you need a slow CPU.:-) On my workstation PC the same test gives
something like 0.2 seconds CPU for "old" and 0.6 seconds CPU for "new",
which would go unnoticed unless there were huge numbers of SSL
connections. Unfortunately our customers tend to use low-powered PowerPC
and the like, and still expect to have a usable SSL-webui (at least one
session:-). For a relevant number, 'openssl speed rsa4096' gives 2.0
sign/sec on the PPC where I'm doing the test (62.7 on my PC - i.e. 16 ms
per sign - vs 54 ms for public_key:sign/3).

But the CPU time needed to do a RSA sign is probably not the major
problem - using Firefox with "new" on the slow system works perfectly
fine, because Firefox knows how to do SSL in a server-friendly way - in
my test it's a single full SSL handshake and 5 additional connections
with session reuse, all 6 used to carry application data.

Chrome opens 26 connnections, starting handshake on all of them, 7
handshakes are actually completed (5 full and 2 reuse), and only 4 of
the connections do anything useful. But somehow "old" managed to handle
this stupidity with less CPU impact - actually it ended up with "only"
19 connections, 11 completed handshakes (a single full and 10 reuse),
and 5 of them doing something useful.

If you want I can send you ssldump output off-list...

>Does your server do client verification?

No.

Thanks again!

--Per