Wednesday, April 3, 2013

OpenSSL trick #2 s_time

Openssl allows you  to benchmark server response time use openssl s_time. The cmd is simple to use and provides very good statistics & for evaluating buggy or suspected web-servers, that might have a SSL issues.

Take this for example;

patrick01:~ ken1$ openssl s_time -www /knowledge-center-dos-and-ddos-attack-reports.html  -connect www.website.com:443No CIPHER specified
Collecting connection statistics for 30 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttt

54 connections in 0.07s; 771.43 connections/user sec, bytes read 7074
54 connections in 31 real seconds, 131 bytes read per connection


Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

51 connections in 0.02s; 2550.00 connections/user sec, bytes read 6681
51 connections in 31 real seconds, 131 bytes read per connection


We've  benchmark the connections at  this  particular DoS mitigation website. Now let's do it again, but this time using a specific cipher;

patrick01:~ ken1$ openssl s_time -cipher RC4-MD5  -www /knowledge-center-dos-and-ddos-attack-reports.html  -connect www.website.com:443
Collecting connection statistics for 30 seconds
ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt

67 connections in 0.09s; 744.44 connections/user sec, bytes read 8777
67 connections in 31 real seconds, 131 bytes read per connection


Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

57 connections in 0.02s; 2850.00 connections/user sec, bytes read 7467
57 connections in 31 real seconds, 131 bytes read per connection


So we see with rivest cipher-md5 the performance numbers are different. We can extend that time value with the -time option.

patrick01:~ ken1$ openssl s_time  -time 60 -cipher RC4-MD5  -www /knowledge-center-dos-and-ddos-attack-reports.html  -connect www.website.com:443 Collecting connection statistics for 60 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt

138 connections in 0.17s; 811.76 connections/user sec, bytes read 18078
138 connections in 61 real seconds, 131 bytes read per connection


Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

117 connections in 0.04s; 2925.00 connections/user sec, bytes read 15327
117 connections in 61 real seconds, 131 bytes read per connection


Typically, one use these cmds to benchmark newly configured servers, and by conduct thing tests on the localhost and via the localhost address { 127.0.0.1 }. And to determine  connections/per-sec based on cipher options.

You will find out typically SSL offloading for https web-sites, are typcially faster when using a server-load-balancer aka reverse-proxy.

By default we conduct 2 series of test with both  new and then finally reuse your session-id, but you can  specify the later with the -new option only or -reuse.


patrick01:~ ken1$ openssl s_time  -reuse -time 60 -cipher RC4-MD5  -www /knowledge-center-dos-and-ddos-attack-reports.html  -connect www.prolexic.com:443

Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

108 connections in 0.03s; 3600.00 connections/user sec, bytes read 14148
108 connections in 61 real seconds, 131 bytes read per connection



Here's a list of the options for s_time;
  • -connect host:port - host:port to connect to (default is localhost:4433)
  • -nbio         - Run with non-blocking IO
  • -ssl2         - Just use SSLv2
  • -ssl3         - Just use SSLv3
  • -bugs         - Turn on SSL bug compatibility
  • -new          - Just time new connections
  • -reuse        - Just time connection reuse
  • -www page     - Retrieve 'page' from the site
  • -time arg     - max number of seconds to collect data, default 30
  • -verify arg   - turn on peer certificate verification, arg == depth
  • -cert arg     - certificate file to use, PEM format assumed
  • -key arg      - RSA file to use, PEM format assumed, key is in cert file
  •                 file if not specified by this option
  • -CApath arg   - PEM format directory of CA's
  • -CAfile arg   - PEM format file of CA's
  • -cipher       - preferred cipher to use, play with 'openssl ciphers'

Openssl tip#2, I hope you found this interesting.

Ken Felix
Freelance Network & Security Engineer hacking around for the last 18+ years.

kfelix a-t hyperfeed d-o-t com








1 comment: