2017-07-25 14:52 GMT+03:00 Matt Holdsworth <matt.holdsworth@xxxxxxxxxxx>: > I'm trying to use 'ab' to do some performance benchmarks of my website after having made some performance tweaks. > > Specifically, I'd like to test the difference in performance between the following cipher suites - all supported by my website: > > ECDHE-RSA-AES128-GCM-SHA256 > ECDHE-ECDSA-AES128-GCM-SHA256 > ECDHE-ECDSA-CHACHA20-POLY1305 > > The three commands that I've tried are: > > ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-RSA-AES128-GCM-SHA256 https://bytes.fyi/ > ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-AES128-GCM-SHA256 https://bytes.fyi/ > ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/ > > The first two work fine, but the third generates the following error: > > error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305] > 1995798240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385: > I think my versions of ab and openssl are both up-to-date enough to support the test: > > pi@pi3:~ $ which ab && ab -V > /usr/bin/ab > This is ApacheBench, Version 2.3 <$Revision: 1757674 $> 1. Looking at http://svn.apache.org/r1757674 (Thu Aug 25 12:53:03 2016 UTC) and history of httpd/httpd/branches/2.4.x/support/ab.c file that was changed in that revision, I think your version of AB does not support OpenSSL 1.1.0 at all, as support for 1.1.0 was added by later revisions of that file, http://svn.apache.org/viewvc?view=revision&revision=1787728 "Support OpenSSL 1.1.0" > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > pi@pi3:~ $ which openssl && openssl version > /usr/bin/openssl > OpenSSL 1.1.0f 25 May 2017 > > The docs for Apache Benchmark don't give much detail on how to check/modify the available cipher suites that can be specified: > > -Z ciphersuite > Specify SSL/TLS cipher suite (See openssl ciphers) 2. Maybe it is also worth to try "-f TLS1.2". Though as the two other ciphers work, maybe you do not need it. https://httpd.apache.org/docs/2.4/programs/ab.html > I think the above implies that I should be able to use any of the cipher suites listed by the openssl ciphers command? > > All three of my target cipher suites are indeed listed, so I'm confused why my ab test is failing for the ECDHE-ECDSA-CHACHA20-POLY1305 suite. > > Any tips would be much appreciated! > > Btw, I asked the same question on superuser.com, here: > > https://superuser.com/questions/1231720/how-to-benchmark-chacha20-poly1305-capable-websites-using-apache-benchmark-ab > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|