On Thu, May 25, 2023 at 07:33:11AM -0600, Shawn Heisey wrote:
> On 3/11/23 22:52, Willy Tarreau wrote:
> > According to the OpenSSL devs, 3.1 should be "4 times better than 3.0",
> > so it could still remain 5-40 times worse than 1.1.1. I intend to run
> > some tests soon on it on a large machine, but preparing tests takes a
> > lot of time and my progress got delayed by the painful bug of last week.
> > I'll share my findings anywya.
>
> Just noticed that quictls has a special branch for lock changes in 3.1.0:
>
> https://github.com/quictls/openssl/tree/openssl-3.1.0+quic+locks
Yes, it was made so that the few of us who reported important issues can
retest the impact of the changes. I hope to be able to run a test on a
smaller machine soon.
> I am not sure how to go about proper testing for performance on this. I did
> try a very basic "curl a URL 1000 times in bash" test back when 3.1.0 was
> released, but that showed 3.0.8 and 3.1.0 were faster than 1.1.1, so
> concurrency is likely required to see a problem.
The problem definitely is concurrency, so 1000 curl will show nothing
and will not even match production traffic. You'll need to use a load
generator that allows you to tweak the TLS resume support, like we do
with h1load's argument "--tls-reuse". Also I don't know how often the
recently modified locks are used per server connection and per client
connection, that's what the SSL guys want to know since they're not able
to test their changes.
The first test report *before* the changes was published here a month
ago:
https://github.com/openssl/openssl/issues/20286#issuecomment-1527869072
And now we have to find time to setup a test platform to test this one
in more or less similar conditions (or at least run a before/after).
Do not hesitate to participate if you see you can provide results
comparing the two quictls-3.1 branches, it will help already. It's even
possible that these efforts do not bring anything yet, we don't know and
that's what they want to know.
Thanks,
Willy
