[erlang-questions] Erlang accepting SSL connection is really slow (comparing to C++)
Andreas Schultz
aschultz@REDACTED
Tue Apr 10 20:55:23 CEST 2012
Hi,
----- Original Message -----
> Hi Ali,
>
> It is indeed.
> Cipher : DHE-RSA-AES256-SHA
>
> What would be the fastest Cipher, knowing that I don't really care
> about 128 or 256 encoding.
The cipher might be the fastest, but DHE = Ephermal-Diffi-Hellman key exchange,
that is about the slowest way to establish an SSL session. Remember, ssl_accept
does the full SSL handshake. C (OpenSSL) based implementation might delay the
full handshake until you do something else with the connection.
>From the OpenSSL ssl_accept man page:
> If the underlying BIO is blocking, SSL_accept() will only return once the handshake has been finished or an error occurred, except for SGC (Server Gated Cryptography). For
> SGC, SSL_accept() may return with -1, but SSL_get_error() will yield SSL_ERROR_WANT_READ/WRITE and SSL_accept() should be called again.
If I remember correctly, Erlang might generate DH primes even when you are
not using a DH suite and be therefore not faster, but that could be changed.
The only drawback is, that with a non-DH cipher suite a recorded encrypted
session can be decrypted when an attacker gets access to the servers private
key, with DH suites that is not possible.
Andreas
>
> And How can I change the Cipher on the SSL options ?
>
> Le 10 avr. 2012 à 18:50, Ali Sabil a écrit :
>
> > Hi Morgan,
> >
> > Did you check which cipher is being used in your c++ server vs the
> > erlang server? DHE ciphers are notably slow.
> >
> > You can check which cipher suite is being used with:
> > openssl s_client -host HOST -port PORT
> >
> > On Tue, Apr 10, 2012 at 6:19 PM, Morgan Segalis
> > <msegalis@REDACTED> wrote:
> >> Hi Loïc,
> >>
> >> That's what I was afraid of.
> >>
> >> Then what would be the best workaround in order to outcome this
> >> slowness of Erlang's SSL ?
> >> Using a C++ Driver ? would that be even possible to pass a Socket
> >> to the driver for it to upgrade it into a SSL one ?
> >>
> >> Thanks.
> >>
> >> Le 10 avr. 2012 à 17:56, Loïc Hoguin a écrit :
> >>
> >>> Hello!
> >>>
> >>> On 04/10/2012 05:27 PM, SEGALIS Morgan wrote:
> >>> [...]
> >>>> While it will take 10 second to a ssl accepting bit of C++ code
> >>>> to accept
> >>>> all of them (which don't even have multiple accept pending), in
> >>>> Erlang this
> >>>> is quite different. It will accept at most 20 connections a
> >>>> second
> >>>> (according to netstat info, whilst C++ accept more like 1K
> >>>> connection per
> >>>> seconds)
> >>>>
> >>>> While the 10K connections are awaiting for acceptance, I'm
> >>>> manually trying
> >>>> to connect as well.
> >>>>
> >>>> openssl s_client -ssl3 -ign_eof -connect myserver.com:4242
> >>>>
> >>>> 3 cases happen when I do :
> >>>>
> >>>> - Connection simply timeout
> >>>> - Connection will connect after waiting for it 30 sec. at least
> >>>> - Connection will occur almost directly
> >>>
> >>> The OTP SSL code is just very slow, and AFAIK the reason for this
> >>> is that it's done in full Erlang. Here's a quick and dirty
> >>> comparison between HTTP and HTTPS in Cowboy, where only the
> >>> transport used differs:
> >>>
> >>> HTTP:
> >>>
> >>> % siege -b -c 100 http://localhost:8080/
> >>> ** SIEGE 2.70
> >>> ** Preparing 100 concurrent users for battle.
> >>> The server is now under siege...^C
> >>> Lifting the server siege... done.
> >>> Transactions: 49266 hits
> >>> Availability: 100.00 %
> >>> Elapsed time: 5.94 secs
> >>> Data transferred: 0.56 MB
> >>> Response time: 0.01 secs
> >>> Transaction rate: 8293.94 trans/sec
> >>> Throughput: 0.09 MB/sec
> >>> Concurrency: 99.36
> >>> Successful transactions: 49266
> >>> Failed transactions: 0
> >>> Longest transaction: 0.06
> >>> Shortest transaction: 0.00
> >>>
> >>> HTTPS:
> >>>
> >>> % siege -b -c 100 https://localhost:8443/
> >>> ** SIEGE 2.70
> >>> ** Preparing 100 concurrent users for battle.
> >>> The server is now under siege...^C
> >>> Lifting the server siege... done.
> >>> Transactions: 698 hits
> >>> Availability: 100.00 %
> >>> Elapsed time: 4.50 secs
> >>> Data transferred: 0.01 MB
> >>> Response time: 0.59 secs
> >>> Transaction rate: 155.11 trans/sec
> >>> Throughput: 0.00 MB/sec
> >>> Concurrency: 92.15
> >>> Successful transactions: 698
> >>> Failed transactions: 0
> >>> Longest transaction: 1.14
> >>> Shortest transaction: 0.07
> >>>
> >>> This is on a Zenbook UX31E which is a damn good machine but it
> >>> still shows a huge difference between both of them. And the more
> >>> you try to accept at the same time, the longest time it can take
> >>> to accept.
> >>>
> >>> --
> >>> Loïc Hoguin
> >>> Erlang Cowboy
> >>> Nine Nines
> >>
> >> _______________________________________________
> >> erlang-questions mailing list
> >> erlang-questions@REDACTED
> >> http://erlang.org/mailman/listinfo/erlang-questions
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073
------------------ managed broadband access ------------------
Travelping GmbH phone: +49-391-8190990
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-questions
mailing list