httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cedric Roijakkers <Cedric.Roijakk...@qnh.nl>
Subject Re: Fwd: [users@httpd] Performance drop in 2.4.7 versus 2.4.6
Date Fri, 21 Feb 2014 14:30:59 GMT
Hi,

I went on and cloned the OpenSSL 1.0.2 repository, compiled it, and did some checks.

Turns out you were correct, when using DH, the parameter is now 2048:

Server Temp Key: DH, 2048 bits

As compared to 2.4.6:

Server Temp Key: DH, 1024 bits

Following the documentation, I added 1024-bit DH parameters to the SSL certificate configuration
file, and poof:

Server Temp Key: DH, 1024 bits

And also:

HTTP OK: Status line output matched "200" - 19091 bytes in 0.022 second response time |time=0.022378s;2.000000;3.000000;0.000000
size=19091B;;;0

I agree that this is less secure, but on the other hand, ECDHE is way ahead of DHE in our
cipher list, so this would probably not impact end users after all. Since Java <= 7 is
still having a lot of problems with keys larger than 1024 bits (and we've seen this happen,
since our automated tests are run in Java), downgrading to 1024 will fix the issues, and we
can upgrade to 2.4.7 again.

Many thanks for your help!

Cedric


On 21/02/2014 13:02, Jeff Trawick wrote:
> Including dev@httpd.apache.org...
>
> Is anybody else seeing the same behavior? Looking at the documentation, 2.4.7
> has gained some performance improvements, but I'm seeing something different
> on
> my end.____
>

Perhaps it's the increased DH parameter size? If it has increased from 1024 bits
to 2048 that would have a significant effect.

OpenSSL 1.0.2 s_client can help check this, if you do:

openssl s_client -connect www.host.com:443

it says (among lots of other stuff):

Server Temp Key: DH, xxxx bits

Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com


Mime
View raw message