Join the community today
Register Now

Nginx Centmin Mod Nginx HTTP/2 HTTPS TLS Library Benchmarks - OpenSSL vs LibreSSL vs BoringSSL

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Oct 30, 2022.

  1. eva2000

    eva2000 Administrator Staff Member

    49,565
    11,375
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,678
    Local Time:
    7:56 AM
    Nginx 1.21.x
    MariaDB 10.x
    Centmin Mod Nginx server by default uses OpenSSL 1.1.1 for its TLS library for HTTPS. However, Centmin Mod Nginx also optionally supports other TLS libraries for OpenSSL 3.0, LibreSSL and BoringSSL. It's been a while since I've benchmarked all the options, so I decided to use my newest favourite load testing tool, k6 to benchmark them quickly. The results are pretty close using k6 benchmarking tools, but OpenSSL 1.1.1 does win still with BoringSSL in second place :D

    Centmin Mod 130.00beta01's Nginx default OpenSSL 1.1.1
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-065714-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 1.1.1q  5 Jul 2022
    TLS SNI support enabled
    

    With OpenSSL 3.0.5
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-055900-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 3.0.5 5 Jul 2022
    TLS SNI support enabled
    

    and BoringSSL
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-065301-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
    TLS SNI support enabled
    

    LibreSSL 3.5.3
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-061258-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with LibreSSL 3.5.3
    TLS SNI support enabled
    

    LibreSSL only 3.6.0 has experimental BoringSSL QUIC API support added
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-081947-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with LibreSSL 3.6.0
    TLS SNI support enabled


    k6 benchmarks were done with HTTP/2 with Centmin Mod Nginx using ECDSA 256bit SSL certificates which from past benchmarks show BoringSSL did have a slight lead for ECDSA SSL ciphers.

    Average requests/sec vs average response times (ms)

    nginx-tls-library-k6-benhcmarks-avg-01.png

    Average requests/sec vs max response times (ms)


    nginx-tls-library-k6-benhcmarks-max-01.png
     
  2. rdan

    rdan Premium Member Premium Member

    5,370
    1,353
    113
    May 25, 2014
    Ratings:
    +2,111
    Local Time:
    5:56 AM
    Mainline
    10.2
    BoringSSL wins on the max response times?
    Thanks for the info Eva.
     
  3. eva2000

    eva2000 Administrator Staff Member

    49,565
    11,375
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,678
    Local Time:
    7:56 AM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah just and for these k6 benchmarks :) But unlike OpenSSL 1.1.1, BoringSSL doesn't support OCSP stapling nor does it support dual RSA 2048bit + ECDSA 256bit SSL certificates.
     
  4. rdan

    rdan Premium Member Premium Member

    5,370
    1,353
    113
    May 25, 2014
    Ratings:
    +2,111
    Local Time:
    5:56 AM
    Mainline
    10.2
    For a few years now, all my sites only support ECC certificates :).
    RSA is so old now :D