OpenSSL paramters

eva2000

Active Member
Apr 15, 2013
242
48
28
Brisbane, Australia
centminmod.com
@Patrick curious for your benchmark script what OpenSSL parameters are tested for the sign/verify stats ?

Possible to benchmark RSA 2048 bit and ECDSA 256 bit too Nginx - Centmin Mod Nginx VHOST SPDY SSL Generator testing as they are both going to be the most commonly used for SSL certificates at least

i.e.

Code:
rsa 2048 bits 0.001090s 0.000034s    917.1  29162.2
256 bit ecdsa (nistp256)   0.0001s   0.0004s  14788.6   2281.4
 
Last edited:

eva2000

Active Member
Apr 15, 2013
242
48
28
Brisbane, Australia
centminmod.com
thanks @Patrick

looks like it's RSA 4096 bit test - not sure how many folks are using that ?

should also update to OpenSSL 1.0.1i

Bash:
# OpenSSL
OSSL()
{
    cd $benchdir

    appbase=openssl-1.0.1g
    apptgz=openssl-1.0.1g.tar.gz
    tgzstring=xfz
    appbin=$appbase/apps/openssl
    appdlpath=http://www.openssl.org/source/$apptgz
    extract

    cd openssl-1.0.1g/
    echo "Building OpenSSL"
    ./config no-zlib 2>&1 >> /dev/null
    make 2>&1 >> /dev/null
    echo "Running OpenSSL test"
       nproc=`nproc`
    ./apps/openssl speed rsa4096 -multi ${nproc}

    cd $benchdir
    rm -rf openssl*


}

for instance on 2GB Linode VPS with 2 cpu threads on Dual Xeon E5-2680v2

Code:
openssl speed rsa4096 -multi ${nproc}

OpenSSL 1.0.2-chacha (beta3-dev)
built on: Mon Aug 25 08:41:11 UTC 2014
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.004456s 0.000071s    224.4  14134.5
Code:
openssl speed rsa2048 -multi ${nproc}

OpenSSL 1.0.2-chacha (beta3-dev)
built on: Mon Aug 25 08:41:11 UTC 2014
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.000620s 0.000019s   1611.7  52631.6
Code:
openssl speed ecdsap256 -multi ${nproc}

OpenSSL 1.0.2-chacha (beta3-dev)
built on: Mon Aug 25 08:41:11 UTC 2014
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
                              sign    verify    sign/s verify/s
256 bit ecdsa (nistp256)   0.0001s   0.0002s  15384.6   4184.1
 
Last edited:

MiniKnight

Well-Known Member
Mar 30, 2012
2,987
892
113
NYC
I'm getting results in OpenSSL that are sometimes >40% different on sequential runs. The other benchmarks are usually close.

Any idea what's going on? Is this due to what @eva2000 is talking about here?
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,908
4,871
113
I have heard rumors of that also. We are looking into the cause.
 

eva2000

Active Member
Apr 15, 2013
242
48
28
Brisbane, Australia
centminmod.com
I'm getting results in OpenSSL that are sometimes >40% different on sequential runs. The other benchmarks are usually close.

Any idea what's going on? Is this due to what @eva2000 is talking about here?
AFAIK, unrelated to what I said above :)

numbers +40% or -40% ? always lower or higher and lower ? if always lower, could be your system's entropy pool availability is lower on subsequent runs ? or if high and low, could be variances in your entropy pool availability

For bench.centminmod.com I started to test entropy pool availability too for systems
 

eva2000

Active Member
Apr 15, 2013
242
48
28
Brisbane, Australia
centminmod.com
i'd check your systems entropy pool availability
Linux kernel file /proc/sys/kernel/random/entropy_avail is just an estimation. When you have an entropy pool of "4096 bits", this just means that the random numbers being generated have the highest quality of unpredictability you can produce. As the entropy pool estimation drops, the confidence in the sequence of random numbers also drops. When the entropy pool is 0, the kernel will block at generating random data until the pool can be filled again. As you generate random data, it reduces the estimation on entropy. This is the behavior of /dev/random.

In other words, think of the entropy pool as a "crypto thermometer". When the meter is at "full up", the generated numbers will be very difficult, if not near impossible to reproduce, and highly unpredictable. When the meter is completely empty, generating random bits could be reproduced by a 3rd party with little knowledge of the system accurately.
if you're using Ivy Bridge and new Intel platforms, entropy pool availability has some assistance from Intel Secure Key technology for a hardware random generator source on the cpu itself