gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: benchmarking mod_gnutls vs mod_ssl


From: Sam Varshavchik
Subject: Re: benchmarking mod_gnutls vs mod_ssl
Date: Mon, 10 Mar 2008 07:00:06 -0400

Simon Josefsson writes:

"Paul Querna" <address@hidden> writes:

One interesting behaviour I noticed when running the tests was that with
mod_ssl, the exchanged TCP packets as seen in wireshark were:

-> client hello
<- server hello, certificate, server key exchange, server hello done
-> client key exchange, change cipher spec, encrypted handshake message
<- change cipher spec, encrypted handshake message
...

but with gnutls we have:

-> client hello
<- server hello
<- certificate
<- server key exchange
<- server hello done
->client key exchange, change cipher spec, encrypted handshake message
<- change cipher spec
<- encrypted handshake message

In other words, gnutls sends each TLS packet in a separate TCP packet.
This may have some impact on performance, but it is too early to tell
for sure.

This might be a bug in mod_gnutls -- we might want to add some smarter
buffering / picking when we do a flush(). Right now I believe we try to
flush every time gnutls says there is data to send.

Hm, yes, perhaps mod_gnutls could do some buffering.  Or gnutls could do
it internally.

It also would be nice if the gnutls API had a better way to say "flush",
rather than just "here is data", although the current API is simple :-)

Aren't there options in the kernel TCP interface to delay sending
packets for some time, to wait for more data that could also be sent in
the same packet?  I have some vague memory about this.

Yes, TCP_CORK via setsockopt. It's Linux specific.


Attachment: pgpIeMv8GDDRa.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]