From 79de0de7da1e075a7af76705d3ea663ca5c31638 Mon Sep 17 00:00:00 2001 From: v-deeparaj Date: Mon, 18 Aug 2025 22:31:25 -0700 Subject: [PATCH 1/3] OpenSSL TLS documentation added, Tls-openssl profile scenario names are cleaned up --- .../profiles/Compete-OPENSSL-TLS.json | 96 ++++++------ .../docs/workloads/openssl/Tls12vsTls13.md | 36 +++++ website/docs/workloads/openssl/openssl-tls.md | 143 ++++++++++++++++++ 3 files changed, 227 insertions(+), 48 deletions(-) create mode 100644 website/docs/workloads/openssl/Tls12vsTls13.md create mode 100644 website/docs/workloads/openssl/openssl-tls.md diff --git a/src/VirtualClient/VirtualClient.Main/profiles/Compete-OPENSSL-TLS.json b/src/VirtualClient/VirtualClient.Main/profiles/Compete-OPENSSL-TLS.json index 182069c19a..b43f02c47c 100644 --- a/src/VirtualClient/VirtualClient.Main/profiles/Compete-OPENSSL-TLS.json +++ b/src/VirtualClient/VirtualClient.Main/profiles/Compete-OPENSSL-TLS.json @@ -26,8 +26,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_1k", - "MetricScenario": "tls_client_aes-128-gcm-sha256-1k", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_1KiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-1KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -39,8 +39,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_4k", - "MetricScenario": "tls_client_aes-128-gcm-sha256-4k", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_4KiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-4KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_4k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -52,8 +52,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_16k_{Duration}", - "MetricScenario": "tls_client_aes-128-gcm-sha256-16k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_16KiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-16KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_16k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -65,8 +65,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_64k_{Duration}", - "MetricScenario": "tls_client_aes-128-gcm-sha256-64k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_64KiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-64KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_64k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -78,8 +78,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_256k_{Duration}", - "MetricScenario": "tls_client_aes-128-gcm-sha256-256k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_256KiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-256KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_256k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -91,8 +91,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_1mb_{Duration}", - "MetricScenario": "tls_client_aes-128-gcm-sha256-1mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_1MiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-1MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -104,8 +104,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_100mb_{Duration}", - "MetricScenario": "tls_client_aes-128-gcm-sha256-100mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_100MiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-100MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_100mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -117,8 +117,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_512mb", - "MetricScenario": "tls_client_aes-128-gcm-sha256-512mb", + "Scenario": "OpenSSL_TLS_Client_AES_128_GCM_SHA256_512MiB", + "MetricScenario": "tls_client_aes-128-gcm-sha256-512MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_512mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -130,8 +130,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_1k", - "MetricScenario": "tls_client_aes-256-gcm-sha384-1k", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_1KiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-1KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -143,8 +143,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_4k", - "MetricScenario": "tls_client_aes-256-gcm-sha384-4k", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_4KiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-4KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_4k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -156,8 +156,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_16k_{Duration}", - "MetricScenario": "tls_client_aes-256-gcm-sha384-16k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_16KiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-16KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_16k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -169,8 +169,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_64k_{Duration}", - "MetricScenario": "tls_client_aes-256-gcm-sha384-64k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_64KiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-64KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_64k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -182,8 +182,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_256k_{Duration}", - "MetricScenario": "tls_client_aes-256-gcm-sha384-256k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_256KiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-256KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_256k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -195,8 +195,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_1mb_{Duration}", - "MetricScenario": "tls_client_aes-256-gcm-sha384-1mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_1MiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-1MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -208,8 +208,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_100mb_{Duration}", - "MetricScenario": "tls_client_aes-256-gcm-sha384-100mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_100MiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-100MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_100mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -221,8 +221,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_512mb", - "MetricScenario": "tls_client_aes-256-gcm-sha384-512mb", + "Scenario": "OpenSSL_TLS_Client_AES_256_GCM_SHA384_512MiB", + "MetricScenario": "tls_client_aes-256-gcm-sha384-512MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_512mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_256_GCM_SHA384 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -234,8 +234,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_1k", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-1k", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_1KiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-1KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -247,8 +247,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_4k", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-4k", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_4KiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-4KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_4k.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -260,8 +260,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_16k_{Duration}", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-16k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_16KiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-16KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_16k.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -273,8 +273,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_64k_{Duration}", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-64k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_64KiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-64KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_64k.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -286,8 +286,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_256k_{Duration}", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-256k_{Duration}", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_256KiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-256KiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_256k.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -299,8 +299,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_1mb_{Duration}", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-1mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_1MiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-1MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_1mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -312,8 +312,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20-POLY1305-SHA256-100mb_{Duration}", - "MetricScenario": "tls_client_chacha20_poly1305_sha256_100mb_{Duration}", + "Scenario": "OpenSSL_TLS_Client_CHACHA20-POLY1305-SHA256-100MiB", + "MetricScenario": "tls_client_chacha20_poly1305_sha256_100MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_100mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", @@ -325,8 +325,8 @@ { "Type": "TlsOpenSslClientExecutor", "Parameters": { - "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_512mb", - "MetricScenario": "tls_client_chacha20-poly1305-sha256-512mb", + "Scenario": "OpenSSL_TLS_Client_CHACHA20_POLY1305_SHA256_512MiB", + "MetricScenario": "tls_client_chacha20-poly1305-sha256-512MiB", "CommandArguments": "s_time -connect :{ServerPort} -www /test_512mb.html -time {Duration.TotalSeconds} -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -tls1_3", "Duration": "$.Parameters.Duration", "ServerPort": "$.Parameters.ServerPort", diff --git a/website/docs/workloads/openssl/Tls12vsTls13.md b/website/docs/workloads/openssl/Tls12vsTls13.md new file mode 100644 index 0000000000..c6dce430e9 --- /dev/null +++ b/website/docs/workloads/openssl/Tls12vsTls13.md @@ -0,0 +1,36 @@ +# Tls 1_2 vs TLS 1_3 +Transport Layer Security 1.3 (TLS) +The Internet Engineering Task Force (IETF) Request for Comments (RFC) 8446, released August 2018, “specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.” + +In addition to improvement on privacy and performance, the following are some of the major differences between TLS 1.2 and 1.3: + +* The supported symmetric encryption algorithm has been reduced based upon legacy status. +* The approved symmetric encryption algorithms are all authenticated encryption with associated data (AEAD) algorithms. +* The cipher suite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm. +* A zero round-trip time (0-RTT) mode was added, saving a round trip at connection setup for some application data. +* Static RSA and Diffie-Hellman cipher suites have been removed; all public key-based key exchange mechanisms now provide forward secrecy. +* All handshake messages after the ServerHello are now encrypted. +* Elliptic curve algorithms are now in the base spec, and new signature algorithms, such as Edwards-curve Digital Signature Algorithm (EdDSA), are included. +* The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. + + +Two vulnerabilities that are related to using TLS 1.2 are: + +Compression Ratio Info-leak Made Easy (CRIME) (CVE-2012-4929) +Security Losses from Obsolete and Truncated Transcript Hashes (SLOTH) (CVE-20157575) + +## The initial handshake of TLS 1.3 has three phases: + +* Key exchange. + These are exchanges of shared key material and parameters initiated by the client. All communications are encrypted after this point. +* Server parameters. + These are other handshake parameters like application-layer protocol support. +* Authentication. + The server, and, optionally, the client, are authenticated and provide key confirmation and handshake integrity. + +In the key exchange phase, the client sends the ClientHello message, which contains a random nonce (ClientHello.random); its offered protocol versions; a list of symmetric cipher/HKDF hash pairs; either a set of Diffie-Hellman key shares; a set of preshared key labels, or both and, potentially, additional extensions. Additional fields and/or messages may also be present for middlebox compatibility. + +The server processes the ClientHello and determines the appropriate cryptographic parameters for the connection. It then responds with its own ServerHello, which indicates the negotiated connection parameters. The combination of the ClientHello and the ServerHello determines the shared keys. If (EC)DHE key establishment is in use, then the ServerHello contains a key-share extension with the server’s ephemeral Diffie-Hellman share; the server’s share must be in the same group as one of the client’s shares. If PSK key establishment is in use, then the ServerHello contains a preshared key extension indicating which of the client’s offered PSKs was selected. Note that implementations can use (EC)DHE and PSK together, in which case both extensions will be supplied. + +Reference: +* [TLS 1.3](https://www.rfc-editor.org/rfc/rfc8446.txt) \ No newline at end of file diff --git a/website/docs/workloads/openssl/openssl-tls.md b/website/docs/workloads/openssl/openssl-tls.md new file mode 100644 index 0000000000..c80eb549ca --- /dev/null +++ b/website/docs/workloads/openssl/openssl-tls.md @@ -0,0 +1,143 @@ +# OpenSSL-TLS +This version workload sets up OpenSSL client and server processes and measures the file throughput at the client side. +OpenSSL offers a pair of benchmarking tools to measure the network performance of TLS connections: `openssl s_server_` and `openssl s_time`. + +# Setting up the server +To set up the server, you can use the `openssl s_server` command. This command starts a simple TLS server that listens for incoming connections. You will need to provide a certificate and a private key for the server to use. +```bash +openssl s_server -accept 4433 -cert server.crt -key server.key -WWW +``` +WWW option sets up a mock webserver to respond to HTTP requests, which is useful for testing purposes. + +# Setting up the client +To set up the client, you can use the `openssl s_time` command. This command connects to the TLS server and can be used to send requests and receive responses. +In a TLS scenario, client side certificates can also be validated if server uses verify option. Since this is a simple benchmark, we will not use client certificates. +```bash +openssl s_time -connect localhost:4433 -new -time 10 +``` +this simple command will connect to the server and send requests for 10 seconds, measuring number of new connections (in 10 seconds) and number of reuse connections (in 10 seconds). This however does not report throughput. +To measure throughput, we can request a specific html file from the server and that reports number of bytes for every transaction and total throughput. +```bash +s_time -connect :{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3 +``` + +This command requests a html file of size 1K and uses AES_128_GCM_SHA256 algorithm for its secure transaction. + +# Chosen algorithms + +s_server/s_time can be used with SSL/TLS different versions, we decided to restrict to Tls1_3 as this is the most widely used cyphersuite currently. + +Difference between Tls1_2 and Tls1_3 is documented [here](Tls12vsTls13.md). + +The following Tls1_3 cryptographic cypher suites are measured. + +* TLS_AES_128_GCM_SHA256 +* TLS_AES_256_GCM_SHA384 +* TLS_CHACHA20_POLY1305_SHA256 + +## What is Being Measured? +OpenSSL client requests specific file size varying 1KiB - 512 MiB and reports the throughput. + + + +### Workload Metrics +The following metrics are examples of those captured by the Virtual Client when running the OpenSSL Speed workload + +There are 6 metrics. + +#### TotalBytesRead - for a given duration total bytes transferred from server to client +#### NumberOfConnections - number of connections made for a given duration +#### Duration - seconds for which client transacts with the server through s_time tool _ +#### BytesReadPerConnection - TotalBytesRead/NumberOfConnections +#### NewConnectionThroughput - TotalBytesRead/Duration +#### NewConnectionsPerSec - NumberOfConnections/Duration + +These metrics are reported for every file size that is requested in the profile and for three of the Tls1_3 cybersuites. TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 + +Two sets of these metrics are reported, new connection and reuse connection. + +What is the difference between new and reuse connection. + +* New connection + Every ServerHello - keyExchange happens. + +* Reuse connection + First ServerHello, keyExchange happens and this is saved on the client end and then on ClientHello sends these learned keys and server acknowledges them. + As a result the number of connections and throughput can be noticed slightly higher in reuse scenario. + + +| ScenarioName | MetricName | MetricUnit | max_MetricValue | +|----------------------------------------|-----------------------------|------------------|-----------------| +| tls_client_chacha20-poly1305-sha256-1k | TotalBytesRead | bytes | 14193720 | +| tls_client_chacha20-poly1305-sha256-1k | NumberOfConnections | count | 13290 | +| tls_client_chacha20-poly1305-sha256-1k | Duration | seconds | 31 | +| tls_client_chacha20-poly1305-sha256-1k | BytesReadPerConnection | bytes/connection | 1068 | +| tls_client_chacha20-poly1305-sha256-1k | NewConnectionThroughput | bytes/sec | 457861.935483871| +| tls_client_chacha20-poly1305-sha256-1k | NewConnectionsPerSec | count | 428.709677419355| +| tls_client_chacha20-poly1305-sha256-1k | ReuseTotalBytesRead | bytes | 24037476 | +| tls_client_chacha20-poly1305-sha256-1k | ReuseNumberOfConnections | count | 22507 | +| tls_client_chacha20-poly1305-sha256-1k | ReuseDuration | seconds | 31 | +| tls_client_chacha20-poly1305-sha256-1k | ReuseBytesReadPerConnection | bytes/connection | 1068 | +| tls_client_chacha20-poly1305-sha256-1k | ReuseConnectionThroughput | bytes/sec | 775402.451612903| +| tls_client_chacha20-poly1305-sha256-1k | ReuseConnectionsPerSec | count | 726.032258064516| + +# Additional utilities + +## 1. server side cert/key generation +keys and certs are generated through this command. +```bash +openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 3650 -nodes +``` +[please note this cert is set to expire after 10 years i.e., 3650 days] + +## 2. html file generation +```bash +#!/bin/bash + +# Usage: ./generate_html.sh filename size_in_kb +# Example: ./generate_html.sh test.html 1024 + +FILENAME=$1 +SIZE_KB=$2 +SIZE_BYTES=$((SIZE_KB * 1024)) + +HEADER=" +Test File + +" +FOOTER=" +" + +# Calculate current size of header + footer +HEADER_SIZE=$(echo -n "$HEADER$FOOTER" | wc -c) +PADDING_SIZE=$((SIZE_BYTES - HEADER_SIZE)) + +if [ $PADDING_SIZE -le 0 ]; then +  echo "Requested size too small. Minimum size is $HEADER_SIZE bytes." +  exit 1 +fi + +# Generate padding +PADDING="" + +# Write to file +{ +echo "$HEADER" +echo "$PADDING" +echo "$FOOTER" +} > "$FILENAME" + +echo "Generated $FILENAME with size approximately ${SIZE_KB}KB." +``` + +# Reference + +* [OpenSSL GitHub](https://github.com/openssl/openssl) +* [OpenSSL Documentation](https://www.openssl.org/) +* [OpenSSL s_server](https://docs.openssl.org/3.3/man1/openssl-s_server/) +* [OpenSSL s_time](https://docs.openssl.org/3.3/man1/openssl-s_time/) + +# Technical Debt: + +Evaluate what is the ideal buffer size to measure, currently the profile has sizes from 1KiB - 512MiB +Evalueate ideal duration to use, currently 30 seconds is used. From 01dddea6d658022a7a8b8641e6e3d7ca6dea1523 Mon Sep 17 00:00:00 2001 From: v-deeparaj Date: Mon, 18 Aug 2025 22:40:33 -0700 Subject: [PATCH 2/3] Additional comments added about tls package resources --- website/docs/workloads/openssl/openssl-tls.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/website/docs/workloads/openssl/openssl-tls.md b/website/docs/workloads/openssl/openssl-tls.md index c80eb549ca..c6dfcbfd0e 100644 --- a/website/docs/workloads/openssl/openssl-tls.md +++ b/website/docs/workloads/openssl/openssl-tls.md @@ -41,7 +41,7 @@ OpenSSL client requests specific file size varying 1KiB - 512 MiB and reports th ### Workload Metrics -The following metrics are examples of those captured by the Virtual Client when running the OpenSSL Speed workload +The following section explains the metrics of this workload. These metrics are measured on the client side from s_time. There are 6 metrics. @@ -130,6 +130,12 @@ echo "$FOOTER" echo "Generated $FILENAME with size approximately ${SIZE_KB}KB." ``` +For eg., to generate a html file size of 100KiB run the script as follows +```bash +./generate_html.sh test_100KiB.html 100 +``` + +These files (1 and 2) i.e., server key/certs and required html files are packaged in to a zip file and installed on the server machine while setting up the workload. It is important to note that the html files should be present in the same path where openssl binary runs (this is handled inside the VC code). If a file that is not present is passed in the command line, a standard index.html is returned by s_server and this may disrupt our throughput measurement. _ # Reference * [OpenSSL GitHub](https://github.com/openssl/openssl) From 921262f72297ac15e945d70d830778b0974bbca3 Mon Sep 17 00:00:00 2001 From: dheeparaj <102752244+dheeparaj@users.noreply.github.com> Date: Tue, 19 Aug 2025 12:44:34 -0700 Subject: [PATCH 3/3] update tech debt section Signed-off-by: dheeparaj <102752244+dheeparaj@users.noreply.github.com> --- website/docs/workloads/openssl/openssl-tls.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/website/docs/workloads/openssl/openssl-tls.md b/website/docs/workloads/openssl/openssl-tls.md index c6dfcbfd0e..a56d63f7d6 100644 --- a/website/docs/workloads/openssl/openssl-tls.md +++ b/website/docs/workloads/openssl/openssl-tls.md @@ -18,7 +18,7 @@ openssl s_time -connect localhost:4433 -new -time 10 this simple command will connect to the server and send requests for 10 seconds, measuring number of new connections (in 10 seconds) and number of reuse connections (in 10 seconds). This however does not report throughput. To measure throughput, we can request a specific html file from the server and that reports number of bytes for every transaction and total throughput. ```bash -s_time -connect :{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3 +s_time -connect {ServerIp}:{ServerPort} -www /test_1k.html -time {Duration.TotalSeconds} -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3 ``` This command requests a html file of size 1K and uses AES_128_GCM_SHA256 algorithm for its secure transaction. @@ -113,8 +113,8 @@ HEADER_SIZE=$(echo -n "$HEADER$FOOTER" | wc -c) PADDING_SIZE=$((SIZE_BYTES - HEADER_SIZE)) if [ $PADDING_SIZE -le 0 ]; then -  echo "Requested size too small. Minimum size is $HEADER_SIZE bytes." -  exit 1 +  echo "Requested size too small. Minimum size is $HEADER_SIZE bytes." +  exit 1 fi # Generate padding @@ -135,7 +135,7 @@ For eg., to generate a html file size of 100KiB run the script as follows ./generate_html.sh test_100KiB.html 100 ``` -These files (1 and 2) i.e., server key/certs and required html files are packaged in to a zip file and installed on the server machine while setting up the workload. It is important to note that the html files should be present in the same path where openssl binary runs (this is handled inside the VC code). If a file that is not present is passed in the command line, a standard index.html is returned by s_server and this may disrupt our throughput measurement. _ +These files (1 and 2) i.e., server key/certs and required html files are packaged in to a zip file and installed on the server machine while setting up the workload. It is important to note that the html files should be present in the same path where openssl binary runs (this is handled inside the VC code). If a file that is not present is passed in the command line, a standard index.html is returned by s_server and this may disrupt our throughput measurement. # Reference * [OpenSSL GitHub](https://github.com/openssl/openssl) @@ -146,4 +146,5 @@ These files (1 and 2) i.e., server key/certs and required html files are package # Technical Debt: Evaluate what is the ideal buffer size to measure, currently the profile has sizes from 1KiB - 512MiB -Evalueate ideal duration to use, currently 30 seconds is used. +Evaluate ideal duration to use, currently 30 seconds is used. +Add more unit test coverage for Openssl-tls, Openssl-client, TlsOpenssl-metric parser.