Skip to content

Process and plot results for benchmark using HA-proxy#75

Closed
Sashan wants to merge 4 commits into
openssl:mainfrom
Sashan:ha-proxy.ghnuplot
Closed

Process and plot results for benchmark using HA-proxy#75
Sashan wants to merge 4 commits into
openssl:mainfrom
Sashan:ha-proxy.ghnuplot

Conversation

@Sashan

@Sashan Sashan commented Feb 12, 2026

Copy link
Copy Markdown
Contributor

The benchmark uses h1load and siege client. To compare SSL libraries using h1load client the client runtime is used. The longer it takes to execute the test the worse performance.

The siege client runs for 10 seconds by default attempting to perform as many requests as possible.

The benchmark uses h1load and siege client. To compare
SSL libraries using h1load client the client runtime
is used. The longer it takes to execute the test the
worse performance.

The siege client runs for 10 seconds by default attempting
to perform as many requests as possible.
@Sashan Sashan self-assigned this Feb 12, 2026
@Sashan Sashan moved this to Waiting Review in Development Board Feb 12, 2026
Comment thread bench-scripts/bench_run_haproxy.sh
@github-project-automation github-project-automation Bot moved this from Waiting Review to Waiting Merge in Development Board Feb 12, 2026
@Sashan

Sashan commented Feb 12, 2026

Copy link
Copy Markdown
Contributor Author

Currently HA-proxy benahcmark runs for ~7 hours. The test uses chain of 10 proxies. The h1load command used to run those tests reads as follows:

h1load \
    -c 1280  \
    -n 40000 \
    -r 1    \
    -P      \
    -t ${THREAD_COUNT} \
    ${BASE_URL}${PORT} > ${RESULT} || exit 1

this gives like ~7hours to run complete benchmark. I'm attaching the .tgz file with results. The h1load-*out files are created by heload test. siage-*.out come from siege client.

Files with .merged suffix are processed results so they can be plotted by gnuplot. the .merged file sare also human friendly tables so one can compare the results.

The .png files are coming from gnuplot.

Those results are still very preliminary as no effort was put to investigate build optins for libraries. All tested libraries are being build with their default build settings. The typical option which is being set is prefix location where to install them.

Same goes to ha-proxy and tools. no fancy options are being used.

I'm currently re-running those tests using coniguration with single HA-proxy instead of 10 daisy chained proxy instances. According to runtime observation this makes shrinks the benchmark test run by 50%. I'll let it it finish and attach results for single HA-proxy instance once it will be done. I'm attaching result for chain of 10 proxies

results.chain-10.tgz

@jogme jogme left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some cosmetics as a first round

# - number of processes used
# the list of files looks then as follows:
# h1load-dh-rsa-noreuse-1-openssl-3.4.out
# siege-dh-rsa-noreuse-1-openssl-3.4.out

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why the change?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment here belongs to merge_siege function. The function is processing the output of siege. I've missed that in my earlier PR so I'm fixing it here.

Comment thread bench-scripts/README.md Outdated
Comment on lines +82 to +86
The siege client does not build with aws-lc library. To workaround that,
all tests use siege as http client connecting to HA-proxy, which then
establishes SSL connection towards httpterm [10] server. To collect performance
data The siege client executes requests which fetch 1k of data from httpterm
server.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little confusing; it's reads like the h1load is not run, only siege meanwhile above paragraph mentions both

EMIT_STATS=1
for PORT in $(seq ${BASEPORT} ${TOPPORT}) ; do
emit_https_port ${HAPROXY_CONF} ${PORT} ${PROXYCERT}
if [[ ${EMIT_STATS} -eq 1 ]] ; then

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indent is off

Comment thread bench-scripts/bench_run_haproxy.sh Outdated
printf "\t${SSL_LIB}" >> ${OUTPUT_FILE}
done
printf "\n" >> ${OUTPUT_FILE}
for PROCS in `procs` ; do

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indent

Comment thread bench-scripts/bench_run_haproxy.sh Outdated
Comment on lines +419 to +429
INPUT_FILE=${RESULT_DIR}/${HANDSHAKE}-${PROCS}-${SSL_LIB}.out
#
# h1load outputs performance data combined with percentile table. Those
# parts are delimited by ^#= delimiter. The sed expression chops off
# the first part (performance table).
# tail -1 then grabs the last line where we find the test duration
# in secs. The test duration is found in the first column we read
# using awk
#
DURATION=$(sed -ne '/^#=/q;p' "${INPUT_FILE}" |tail -1 |awk '{ printf($1); }')
printf "\t${DURATION}" >> ${OUTPUT_FILE}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indent (the comment is fine)

Comment thread bench-scripts/bench_run_haproxy.sh Outdated
# new line
#
printf "\n" >> ${OUTPUT_FILE}
done

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also seems like some indent stuff here

@Sashan

Sashan commented Feb 12, 2026

Copy link
Copy Markdown
Contributor Author

After dropping the chain of 10 proxies and using single SSL proxy instance the benchmark runs for two hours. To speed things up we can remove tests for openssl releases which are no longer supported, this will also help.

here is results.single.tgz file with results and charts from gnuplot.

results.single.tgz

@Sashan

Sashan commented Feb 13, 2026

Copy link
Copy Markdown
Contributor Author

I'm afraid I'm stil not able to figure out way to use h1load test right. The current test defines the load as absolute number of requests/connections to perform and measures the duration for various number of threads (1, 2, 4, 8, 16, 32, 64). This is whet tests shows for h1load-ec-dsa-noreuse-*-openssl-master:

number of thrads duration in secs
1 22
2 12
4 7
8 4
16 4
32 4
64 4

same table for h1load-dh-rsa-noreuse-*-openssl-master:

number of thrads duration in secs
1 22
2 17
4 17
8 18
16 18
32 18
64 18

Another way to run h1load is to limit its duration time and then compare total number of requests. For identical HA-proxy configuration I'm seeing these results. The h1load command reads as follows ./h1load -c 128 -t 1-r 1 -d 10 https://127.0.0.1:10101

number of threads total requests
1 19728
2 24053
4 25545
8 25884
16 25862
32 25905
64 25806

It looks like I'm not able to set up things quite right. The machine where I'm trying this is 96 CPU box with Intel(R) Xeon(R) Gold 6248R CPU @ 3.00GHz. The reason why I think the h1load numbers are suspicious is test done by siege (see gnuplot for number of trsnsactions which shows the number of HTTP requests scales up with threads) Will be grateful for any wisdom from @wtarreau here. The config file I'm using reads as follows:

global
        default-path config
        tune.listener.default-shards by-thread
        tune.idle-pool.shared off
        ssl-default-bind-options ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3
        ssl-server-verify none

defaults ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port10000
        bind 127.0.0.1:10000 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        http-request return status 200 content-type "text/plain" string "it works"

listen port10001
        bind 127.0.0.1:10001 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:10000

defaults no-ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 no-ssl-reuse
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port10100
        bind 127.0.0.1:10100 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        http-request return status 200 content-type "text/plain" string "it works"

listen port10101
        bind 127.0.0.1:10101 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:10100

listen port10102
        bind 127.0.0.1:10102
        server port10101 127.0.0.1:10101 ssl verify none

defaults ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port10200
        bind 127.0.0.1:10200 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        http-request return status 200 content-type "text/plain" string "it works"

listen port10201
        bind 127.0.0.1:10201 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:10200

defaults no-ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 no-ssl-reuse
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port10300
        bind 127.0.0.1:10300 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        http-request return status 200 content-type "text/plain" string "it works"

listen port10301
        bind 127.0.0.1:10301 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:10300

listen port10302
        bind 127.0.0.1:10302
        server port10301 127.0.0.1:10301 ssl verify none

defaults ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port11000
        bind 127.0.0.1:11000 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        default_backend httpterm11000

backend httpterm11000
        server httpterm1-11000 127.0.0.1:9999 no-ssl

listen port11001
        bind 127.0.0.1:11001 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:11000

defaults no-ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 no-ssl-reuse
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port11100
        bind 127.0.0.1:11100 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        default_backend httpterm11100

backend httpterm11100
        server httpterm1-11100 127.0.0.1:9999 no-ssl

listen port11101
        bind 127.0.0.1:11101 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/dh-rsa-2048.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:11100

listen port11102
        bind 127.0.0.1:11102
        server port11101 127.0.0.1:11101 ssl verify none

defaults ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port11200
        bind 127.0.0.1:11200 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        default_backend httpterm11200

backend httpterm11200
        server httpterm1-11200 127.0.0.1:9999 no-ssl

listen port11201
        bind 127.0.0.1:11201 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:11200

defaults no-ssl-reuse
        mode http
        http-reuse never
        default-server max-reuse 0 ssl ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 no-ssl-reuse
        option httpclose
        timeout client 10s
        timeout server 10s
        timeout connect 10s

frontend port11300
        bind 127.0.0.1:11300 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        default_backend httpterm11300

backend httpterm11300
        server httpterm1-11300 127.0.0.1:9999 no-ssl

listen port11301
        bind 127.0.0.1:11301 ssl crt /home/sashan/work.openssl/haproxy_root.h1load/openssl-master/etc/ec-dsa-256.pem
        stats enable
        stats refresh 5s
        stats uri /stats
        server next 127.0.0.1:11300

listen port11302
        bind 127.0.0.1:11302
        server port11301 127.0.0.1:11301 ssl verify none
siege-ec-dsa-noreuse-Transactions

@jogme

jogme commented Feb 13, 2026

Copy link
Copy Markdown
Contributor

@Sashan as you commented above; do you want to fix it in this PR or in a follow-up?

@Sashan

Sashan commented Feb 13, 2026

Copy link
Copy Markdown
Contributor Author

@Sashan as you commented above; do you want to fix it in this PR or in a follow-up?

I think it can be done if folow up PR. May be other people will have better idea to further improve the script.

@nhorman nhorman added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Feb 13, 2026
nhorman pushed a commit that referenced this pull request Feb 13, 2026
The benchmark uses h1load and siege client. To compare
SSL libraries using h1load client the client runtime
is used. The longer it takes to execute the test the
worse performance.

The siege client runs for 10 seconds by default attempting
to perform as many requests as possible.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 13 14:48:07 2026
(Merged from #75)
@nhorman

nhorman commented Feb 13, 2026

Copy link
Copy Markdown
Contributor

merged to main, thank you!

@nhorman nhorman closed this Feb 13, 2026
@github-project-automation github-project-automation Bot moved this from Waiting Merge to Done in Development Board Feb 13, 2026
@kroeckx

kroeckx commented Feb 13, 2026

Copy link
Copy Markdown
Member

So I suspect not all versions are actually doing the same thing. Things like the default key exchange got changed. Could things be configured so that they're all actually doing the same thing?

@Sashan

Sashan commented Feb 13, 2026

Copy link
Copy Markdown
Contributor Author

So I suspect not all versions are actually doing the same thing. Things like the default key exchange got changed. Could things be configured so that they're all actually doing the same thing?

I was kind of hoping that setting a server certificate/key is sufficient to unify key exchange accross different library versions. The HA-proxy runs with two certificate/key combination:
- ec-dsa-256.pem generated using command openssl ... -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 ..
- dh-rsa-2048.pem generated using command openssl ..-newkey rsa:4096 ...

what else should be set/configured to mitigate the effect of different library versions?

thanks.

@kroeckx

kroeckx commented Feb 16, 2026

Copy link
Copy Markdown
Member

No, the key type only has a limited effect. There are multiple signature schemes, key exchanges and ciphers. As you can see, 3.5 become slower. This is because of this:

The default TLS group list setting is now set to: ?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072

This means two key shares (X25519MLKEM768 and X25519) will be sent by default by the TLS client.

I'm not sure what the previous default was, but just doing X25519 is probably a fair comparison, and should be supported by all versions.

I assume it also transfers data. TLS_AES_128_GCM_SHA256 is probably what you want to compare, while we default to the AES256 version. I have no idea what the other libraries default to.

At least for OpenSSL you should be able to set that in the config file.

@Sashan

Sashan commented Feb 17, 2026

Copy link
Copy Markdown
Contributor Author

At least for OpenSSL you should be able to set that in the config file.

thanks for pointing me to right direction. I'll also look at other libraries and check how to configure various parameters for handshake so the test will get results which will eliminate differences introduced by different methods/algorithms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

5 participants