ab
在对网站进行了一些性能调整后,我尝试对其进行一些性能基准测试。
具体来说,我想测试以下密码套件之间的性能差异 - 我的网站均支持这些密码套件:
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
我尝试过的三个命令是:
ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-RSA-AES128-GCM-SHA256 https://bytes.fyi/
ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-AES128-GCM-SHA256 https://bytes.fyi/
ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
前两个工作正常,但第三个产生以下错误:
error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
1995798240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1385:
我认为我的ab
和版本openssl
都足够新,可以支持测试:
pi@pi3:~ $ which ab && ab -V
/usr/bin/ab
This is ApacheBench, Version 2.3 <$Revision: 1757674 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
pi@pi3:~ $ which openssl && openssl version
/usr/bin/openssl
OpenSSL 1.1.0f 25 May 2017
这Apache Benchmark 文档没有详细说明如何检查/修改可指定的可用密码套件:
-Z ciphersuite
Specify SSL/TLS cipher suite (See openssl ciphers)
我认为上述情况意味着我应该能够使用openssl ciphers
命令列出的任何密码套件。
我的所有三个目标密码套件确实都已列出,所以我很困惑为什么我的ab
ECDHE-ECDSA-CHACHA20-POLY1305 套件测试失败了。
这里有一些输出,显示我的目标套件受我的 openssl 版本支持:
pi@pi3:~ $ openssl ciphers -v | grep ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
答案1
既然我已经解决了这个问题,就回答我自己的问题,以防它对其他人有用......
事实证明,我的版本ab
太旧,无法(正确)支持 OpenSSL 1.1.0,正如 Konstantin Kolinko 建议的那样(通过 httpd 支持邮件列表):
看着http://svn.apache.org/r1757674(2016 年 8 月 25 日星期四 12:53:03 UTC)以及该修订版本中更改的 httpd/httpd/branches/2.4.x/support/ab.c 文件的历史记录,我认为您的 AB 版本根本不支持 OpenSSL 1.1.0,因为该文件的后续修订版本添加了对 1.1.0 的支持,
http://svn.apache.org/viewvc?view=revision&revision=1787728 “支持 OpenSSL 1.1.0”
最后,我不得不构建整个 Apache httpd 的最新主干代码,以获得一个现代的、可运行的版本ab
。我只是在我的主文件夹中构建它,因为我实际上根本不会使用 httpd 的其他元素:
# apply any updates and install pre-requisites
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install libapr1 libapr1-dev libaprutil1 libaprutil1-dev libpcre3 libpcre3-dev subversion autoconf libtool libtool-bin
# move to home folder and create a folder where to build into
cd ~
mkdir httpd-install
# get the latest source and unzip it (to ~/httpd-trunk)
wget https://github.com/apache/httpd/archive/trunk.zip
unzip trunk.zip
cd httpd-trunk
# get the latest APR source and put it in '[httpd source root]/srclib/apr' (required for the build)
svn co http://svn.apache.org/repos/asf/apr/apr/trunk srclib/apr
# configure the things
chmod +x buildconf
./buildconf
./configure --prefix=/home/pi/httpd-install/ --with-included-apr
# make and install
make
make install
# create a symlink to our bleeding-edge version of ab, so we can just call it using 'ab'
sudo ln -s /home/pi/httpd-install/bin/ab /usr/bin/ab
那么,这并不简单……但它确实有效。我现在有一个最前沿的版本ab
,它似乎甚至可以与 ECDHE-ECDSA-CHACHA20-POLY1305 等现代密码套件配合使用:
pi@pi3:~ $ ab -l -n 1000 -c 10 -k -H "Accept-Encoding: gzip, deflate, br" -Z ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
This is ApacheBench, Version 2.3 <$Revision$>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking bytes.fyi (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: bytes.fyi
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256
Server Temp Key:
TLS Server Name: bytes.fyi
Document Path: /
Document Length: Variable
Concurrency Level: 10
Time taken for tests: 6.876 seconds
Complete requests: 1000
Failed requests: 0
Keep-Alive requests: 0
Total transferred: 10464567 bytes
HTML transferred: 8983567 bytes
Requests per second: 145.42 [#/sec] (mean)
Time per request: 68.764 [ms] (mean)
Time per request: 6.876 [ms] (mean, across all concurrent requests)
Transfer rate: 1486.13 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 31 9.6 32 110
Processing: 16 37 9.4 36 116
Waiting: 14 33 8.5 34 93
Total: 30 68 14.2 69 153
Percentage of the requests served within a certain time (ms)
50% 69
66% 72
75% 73
80% 74
90% 77
95% 87
98% 103
99% 116
100% 153 (longest request)