Welcome to Centmin Mod Community
Register Now

Beta Branch add optional OpenSSL 1.1.0g patch for 30-40% ECDSA performance boost

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jan 2, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    add optional OpenSSL 1.1.0g patch for 30-40% ECDSA performance boost

    - when Nginx is recompiled via centmin.sh menu option 4 with prior persistent config file /etc/centminmod/custom_config.inc set variables, LIBRESSL_SWITCH='y', OPENSSLECDSA_PATCH='y' and OpenSSL version used is 1.1.0g, then OpenSSL 1.1.0g is patched for better ECDSA performance. If you use ECC 256bit ECDSA SSL certificates for HTTP/2 HTTPS then you'll have better HTTP/2 HTTPS performance compared to standard ECDSA and the usual default RSA 2048bit SSL certificates OpenSSL - [PATCH]30-40% ECDSA performance improvement - OpenSSL 1.1


    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    On OVH Core i7 4790K 4C/8T server with CentOS 7.4 64bit and Centmin Mod 123.09beta01 LEMP stack

    With patch resulted in 43.4% faster ECDSA signs/s and 15.4% faster ECDSA verify/s :cool:

    OpenSSL 1.1.0g rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    before patch 8278.4 181818.2 121212.1 43450.5
    after patch 8299.9 181818.2 173813.0 50157.2


    before ECDSA OpenSSL 1.1.0g backported patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000121s 0.000005s   8278.4 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  43450.5
    

    after patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000120s 0.000005s   8299.9 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 173913.0  50157.2
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    6:36 AM
    1.5.15
    MariaDB 10.2
    I've just switched a site to a new certificate using the P-256 key size (Comodo Certificate), so I've added both these flags to the nginx build :)
     
  5. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    1:36 AM
    I have the command to generate the RSA key. Do you have one for this?
    Code:
    openssl req -new -newkey rsa:2048 -nodes -out <domain>_com.csr -keyout <domain>_com.key -subj... 
    Love to give this a try. :)
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Very nice.. if your adventureous you can also look into dual ECDSA + RSA ssl certificate configurations SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !
    to generate ECC 256bit ECDSA certificate's required CSR file and private key just replace the keyname variable with your domain or subdomain
    Code (Text):
    keyname=yourdomain.com
    curve=prime256v1
    openssl ecparam -out ${keyname}.key -name $curve -genkey
    openssl req -new -sha256 -key ${keyname}.key -nodes -out ${keyname}.csr
    
     
  7. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    6:36 AM
    1.5.15
    MariaDB 10.2
  8. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah that tool is useful too :)

    just becomes

    Code (Text):
    domain=yourdomain.com
    curve=prime256v1
    country=AU
    state=QLD
    city=Brisbane
    openssl ecparam -out $domain.key -name $curve -genkey
    openssl req -new -key $domain.key -nodes -out $domain.csr -subj "/C=$country/ST=$state/L=$city/O=$domain/CN=$domain"
    
     
  9. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:36 PM
    Mainline
    10.2
    Is it possible I can have the URL via PM?
    I would like to test it with UC Browser on XP SP3 machine.
    Thanks!
     
  10. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:36 PM
    Mainline
    10.2
    You only have 3 Cert also?
     
  11. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    1:36 AM
    Thanks, works great!
     
  12. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    1:36 AM
    I tried to re-issue a cert using the above and it gave me the warning:
    I guess the cheaper certs don't allow these? In my case, a Comodo Positive SSL.
     
  13. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:36 PM
    Mainline
    10.2
  14. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    1:36 AM
    I just purchased a cert on Namecheap (Positive SSL) and everything worked fine.

    It appears that ssls is the issue. Thanks @RoldanLT

    For what it's worth, I sent in a support ticket to ssls.
     
  15. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:36 PM
    Mainline
    10.2
    Is it possible I can have your URL via PM?
    I would like to test it with UC Browser on XP SP3 machine.
    Thanks!
     
  16. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    1:36 AM
    Site is behind a username / password because I'm working on the project. I figured that would be a good site to test everything out on.

    I'm probably not going to do any other sites until ssls upgrades.