[erlang-questions] New ssl vs Google Chrome

Ingela Andin <>
Thu Mar 8 11:09:04 CET 2012


Hi Per!

2012/3/7, Per Hedeland <>:
> Ingela Andin <> wrote:
>>
>>We will have to look into this more, as a start see comments below:
>
> Thanks!
>
>>crypto:mpint/1 ofcourse is an overhad that could somehow be worked out
>>of the equation.
>
> The three calls in public_key:sign/3 add upp to about a millisecond on
> my slow test system.

Acctually it is  public_key:encrypt_private that will be used as
signing function for your cipher suite, only the latest version of TLS
uses public_key:sign for RSA.

>>I tried it with a big key on my machine but does not appear to make such a
>> big
>>difference that it does for you.
>
> Right, you need a slow CPU.:-) On my workstation PC the same test gives
> something like 0.2 seconds CPU for "old" and 0.6 seconds CPU for "new",
> which would go unnoticed unless there were huge numbers of SSL
> connections. Unfortunately our customers tend to use low-powered PowerPC
> and the like, and still expect to have a usable SSL-webui (at least one
> session:-). For a relevant number, 'openssl speed rsa4096' gives 2.0
> sign/sec on the PPC where I'm doing the test (62.7 on my PC - i.e. 16 ms
> per sign - vs 54 ms for public_key:sign/3).
>
> But the CPU time needed to do a RSA sign is probably not the major
> problem - using Firefox with "new" on the slow system works perfectly
> fine, because Firefox knows how to do SSL in a server-friendly way - in
> my test it's a single full SSL handshake and 5 additional connections
> with session reuse, all 6 used to carry application data.

It would be interesting if you could test how much gain you would get
on your slow machin if calling crypto:sign or
crypto:rsa_private_encrypt with the mpint-values directly.

> Chrome opens 26 connnections, starting handshake on all of them, 7
> handshakes are actually completed (5 full and 2 reuse), and only 4 of
> the connections do anything useful. But somehow "old" managed to handle
> this stupidity with less CPU impact - actually it ended up with "only"
> 19 connections, 11 completed handshakes (a single full and 10 reuse),
> and 5 of them doing something useful.

Old ssl had a bottleneck-process that all connections talked to so
maybe less parallel processing happened to be beneficial for chromes
stupidity.

> If you want I can send you ssldump output off-list.

Pleas do.

Regards Ingela Erlang/OTP team - Ericsson AB



More information about the erlang-questions mailing list