[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: benchmarking mod_gnutls vs mod_ssl

From: Simon Josefsson
Subject: Re: benchmarking mod_gnutls vs mod_ssl
Date: Mon, 10 Mar 2008 12:45:01 +0100
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Sam Varshavchik <address@hidden> writes:

> Simon Josefsson writes:
>> "Paul Querna" <address@hidden> writes:
>>>> One interesting behaviour I noticed when running the tests was that with
>>>> mod_ssl, the exchanged TCP packets as seen in wireshark were:
>>>> -> client hello
>>>> <- server hello, certificate, server key exchange, server hello done
>>>> -> client key exchange, change cipher spec, encrypted handshake message
>>>> <- change cipher spec, encrypted handshake message
>>>> ...
>>>> but with gnutls we have:
>>>> -> client hello
>>>> <- server hello
>>>> <- certificate
>>>> <- server key exchange
>>>> <- server hello done
>>>> ->client key exchange, change cipher spec, encrypted handshake message
>>>> <- change cipher spec
>>>> <- encrypted handshake message
>>>> In other words, gnutls sends each TLS packet in a separate TCP packet.
>>>> This may have some impact on performance, but it is too early to tell
>>>> for sure.
>>> This might be a bug in mod_gnutls -- we might want to add some smarter
>>> buffering / picking when we do a flush(). Right now I believe we try to
>>> flush every time gnutls says there is data to send.
>> Hm, yes, perhaps mod_gnutls could do some buffering.  Or gnutls could do
>> it internally.
>>> It also would be nice if the gnutls API had a better way to say "flush",
>>> rather than just "here is data", although the current API is simple :-)
>> Aren't there options in the kernel TCP interface to delay sending
>> packets for some time, to wait for more data that could also be sent in
>> the same packet?  I have some vague memory about this.
> Yes, TCP_CORK via setsockopt. It's Linux specific.

Thanks for the pointer.  I've read some documentation about it at:

However, I'm not convinced it is a good idea for mod_gnutls to always
use it.  The first article suggests it may introduce a 200ms delay when
collecting data, which could hurt benchmarking.  Maybe we could try just
as an experiment to see if we get different results.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]