/ Register

Join the community today
Become a Member

Nginx Centmin Mod Nginx HTTP/2 HTTPS TLS Library Benchmarks - OpenSSL vs LibreSSL vs BoringSSL

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Oct 30, 2022.

Tags:
Previous Thread Next Thread
Loading...
  1. Oct 30, 2022 #1
    eva2000

    eva2000 Administrator Staff Member

    49,766
    11,447
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,789
    Local Time:
    12:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Centmin Mod Nginx server by default uses OpenSSL 1.1.1 for its TLS library for HTTPS. However, Centmin Mod Nginx also optionally supports other TLS libraries for OpenSSL 3.0, LibreSSL and BoringSSL. It's been a while since I've benchmarked all the options, so I decided to use my newest favourite load testing tool, k6 to benchmark them quickly. The results are pretty close using k6 benchmarking tools, but OpenSSL 1.1.1 does win still with BoringSSL in second place :D

    Centmin Mod 130.00beta01's Nginx default OpenSSL 1.1.1
    Code (Text):
    nginx -V
nginx version: nginx/1.23.2 (301022-065714-centos7-ed582fb-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with OpenSSL 1.1.1q  5 Jul 2022
TLS SNI support enabled

    With OpenSSL 3.0.5
    Code (Text):
    nginx -V
nginx version: nginx/1.23.2 (301022-055900-centos7-ed582fb-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with OpenSSL 3.0.5 5 Jul 2022
TLS SNI support enabled

    and BoringSSL
    Code (Text):
    nginx -V
nginx version: nginx/1.23.2 (301022-065301-centos7-ed582fb-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled

    LibreSSL 3.5.3
    Code (Text):
    nginx -V
nginx version: nginx/1.23.2 (301022-061258-centos7-ed582fb-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with LibreSSL 3.5.3
TLS SNI support enabled

    LibreSSL only 3.6.0 has experimental BoringSSL QUIC API support added
    Code (Text):
    nginx -V
nginx version: nginx/1.23.2 (301022-081947-centos7-ed582fb-br-6e975bc)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with LibreSSL 3.6.0
TLS SNI support enabled


    k6 benchmarks were done with HTTP/2 with Centmin Mod Nginx using ECDSA 256bit SSL certificates which from past benchmarks show BoringSSL did have a slight lead for ECDSA SSL ciphers.

    Average requests/sec vs average response times (ms)

    nginx-tls-library-k6-benhcmarks-avg-01.png

    Average requests/sec vs max response times (ms)

    nginx-tls-library-k6-benhcmarks-max-01.png
     
  2. Oct 30, 2022 #2
    rdan

    rdan Well-Known Member

    5,373
    1,349
    113
    May 25, 2014
    Ratings:
    +2,112
    Local Time:
    10:45 AM
    Mainline
    10.2
    BoringSSL wins on the max response times?
    Thanks for the info Eva.
     
  3. Oct 31, 2022 #3
    eva2000

    eva2000 Administrator Staff Member

    49,766
    11,447
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,789
    Local Time:
    12:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah just and for these k6 benchmarks :) But unlike OpenSSL 1.1.1, BoringSSL doesn't support OCSP stapling nor does it support dual RSA 2048bit + ECDSA 256bit SSL certificates.
     
  4. Oct 31, 2022 #4
    rdan

    rdan Well-Known Member

    5,373
    1,349
    113
    May 25, 2014
    Ratings:
    +2,112
    Local Time:
    10:45 AM
    Mainline
    10.2
    For a few years now, all my sites only support ECC certificates :).
    RSA is so old now :D
     
Previous Thread Next Thread
Loading...

.