Take this for example;
patrick01:~ ken1$ openssl s_time -www /knowledge-center-dos-and-ddos-attack-reports.html -connect www.website.com:443No CIPHER specified
Collecting connection statistics for 30 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttt
54 connections in 0.07s; 771.43 connections/user sec, bytes read 7074
54 connections in 31 real seconds, 131 bytes read per connection
Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
51 connections in 0.02s; 2550.00 connections/user sec, bytes read 6681
51 connections in 31 real seconds, 131 bytes read per connection
We've benchmark the connections at this particular DoS mitigation website. Now let's do it again, but this time using a specific cipher;
patrick01:~ ken1$ openssl s_time -cipher RC4-MD5 -www /knowledge-center-dos-and-ddos-attack-reports.html -connect www.website.com:443
Collecting connection statistics for 30 seconds
ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
67 connections in 0.09s; 744.44 connections/user sec, bytes read 8777
67 connections in 31 real seconds, 131 bytes read per connection
Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
57 connections in 0.02s; 2850.00 connections/user sec, bytes read 7467
57 connections in 31 real seconds, 131 bytes read per connection
So we see with rivest cipher-md5 the performance numbers are different. We can extend that time value with the -time option.
patrick01:~ ken1$ openssl s_time -time 60 -cipher RC4-MD5 -www /knowledge-center-dos-and-ddos-attack-reports.html -connect www.website.com:443 Collecting connection statistics for 60 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
138 connections in 0.17s; 811.76 connections/user sec, bytes read 18078
138 connections in 61 real seconds, 131 bytes read per connection
Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
117 connections in 0.04s; 2925.00 connections/user sec, bytes read 15327
117 connections in 61 real seconds, 131 bytes read per connection
Typically, one use these cmds to benchmark newly configured servers, and by conduct thing tests on the localhost and via the localhost address { 127.0.0.1 }. And to determine connections/per-sec based on cipher options.
You will find out typically SSL offloading for https web-sites, are typcially faster when using a server-load-balancer aka reverse-proxy.
By default we conduct 2 series of test with both new and then finally reuse your session-id, but you can specify the later with the -new option only or -reuse.
patrick01:~ ken1$ openssl s_time -reuse -time 60 -cipher RC4-MD5 -www /knowledge-center-dos-and-ddos-attack-reports.html -connect www.prolexic.com:443
Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
108 connections in 0.03s; 3600.00 connections/user sec, bytes read 14148
108 connections in 61 real seconds, 131 bytes read per connection
Here's a list of the options for s_time;
- -connect host:port - host:port to connect to (default is localhost:4433)
- -nbio - Run with non-blocking IO
- -ssl2 - Just use SSLv2
- -ssl3 - Just use SSLv3
- -bugs - Turn on SSL bug compatibility
- -new - Just time new connections
- -reuse - Just time connection reuse
- -www page - Retrieve 'page' from the site
- -time arg - max number of seconds to collect data, default 30
- -verify arg - turn on peer certificate verification, arg == depth
- -cert arg - certificate file to use, PEM format assumed
- -key arg - RSA file to use, PEM format assumed, key is in cert file
- file if not specified by this option
- -CApath arg - PEM format directory of CA's
- -CAfile arg - PEM format file of CA's
- -cipher - preferred cipher to use, play with 'openssl ciphers'
Openssl tip#2, I hope you found this interesting.
Ken Felix
Freelance Network & Security Engineer hacking around for the last 18+ years.
kfelix a-t hyperfeed d-o-t com
No comments:
Post a Comment