Welcome to Centmin Mod Community
Become a Member

SSL HTTP/2 - h2o vs OpenLiteSpeed vs Nginx SPDY/3.1

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 27, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    HTTP/2 and SPDY/3.1 Test Configurations



    Continuing previous tests but this time added OpenLiteSpeed web server to the mix as it also supports SPDY and HTTP/2.

    I am using my World Flags Demo site template to test Nginx SPDY/3.1 SSL (centmin mod config) vs h2o HTTP/2 SSL vs OpenLiteSpeed 1.4.6 HTTP/2 vs non-https for Nginx, h2o and OpenLiteSpeed served files using 6 different setups as outlined below.
    H2O HTTP/2 server installed via h2o_installer. Nginx installed via Centmin Mod. OpenLiteSpeed installed via up coming integration work I am doing for my Centmin Mod LEMP web stack. Centmin Mod web stack currently supports just Nginx but eventually plan to have integrated support for Apache 2.4, OpenLiteSpeed and h2o servers :)

    I will be using webpagetest.org and various other tools, including nghttp2 C library's bundled h2load HTTP/2 load and stress testing tool. Think of h2load is to HTTP/2 servers as apachebench, wrk, siege load tests is to HTTP/1 and HTTP/1.1 load testing.

    Nginx & h2o Server Configurations


    • 1 cpu core KVM DigitalOcean VPS
    • 512MB RAM
    • 25GB SSD
    • CentOS 6.6 32bit
    • Centmin Mod .08 beta02
    • San Francisco location

    nghttp2 client checks



    Using nghttp2 client, nghttp which supports HTTP/2 to check what protocols are offered by Nginx SPDY/3.1 https, h2o HTTP/2 https and OpenLiteSpeed HTTP/2 https.

    Nginx SPDY/3.1 supports spdy/3.1 and http/1.1
    Code:
    nghttp -nv https://h2ohttp2.centminmod.com/flags.html
    [  0.484] Connected
    [  0.563][NPN] server offers:
              * spdy/3.1
              * http/1.1
    [ERROR] HTTP/2 protocol was not selected. (nghttp2 expects h2-14)
    
    h2o HTTP/2 supports HTTP/2 protocols and drafts - h2, h2-14, and h2-16
    Code:
    nghttp -nv https://h2ohttp2.centminmod.com:8081/flags.html
    [  0.131] Connected
    [  0.247][NPN] server offers:
              * h2
              * h2-16
              * h2-14
    The negotiated protocol: h2
    
    OpenLiteSpeed 1.4.6 supports HTTP/2 protocols and drafts - h2-14 and spdy/2, spdy/3, spdy/3.1 and http/1.1
    Code:
    nghttp -nv https://h2ohttp2.centminmod.com:8099/flags.html
    [  0.281] Connected
    [  0.351][NPN] server offers:
              * h2-14
              * spdy/3.1
              * spdy/3
              * spdy/2
              * http/1.1
    The negotiated protocol: h2-14
    

    cipherscan tests



    I made sure to configure all 3 servers with exact same cipher preferences. Also all 3 servers are compiled against OpenSSL 1.0.2a-chacha patched build for chacha20_poly1305 cipher support for Chrome/Opera browsers :)

    Nginx SPDY/3.1 port 443

    Code:
    cipherscan h2ohttp2.centminmod.com:443              
    ....................
    Target: h2ohttp2.centminmod.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True
    
    OCSP stapling: supported
    Server side cipher ordering
    
    h2o HTTP/2 port 8081

    Code:
    cipherscan h2ohttp2.centminmod.com:8081
    ....................
    Target: h2ohttp2.centminmod.com:8081
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    
    OCSP stapling: supported
    Server side cipher ordering
    
    OpenLiteSpeed 1.4.6 port 8099

    Code:
    cipherscan h2ohttp2.centminmod.com:8099
    ....................
    Target: h2ohttp2.centminmod.com:8099
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    
    OCSP stapling: supported
    Server side cipher ordering
    

    testssl check



    testssl is another tool bundled in my nghttp2 Ubuntu docker image

    testssl tool check for Nginx SPDY/3.1 SSL

    in particular server preferences configured


    Code:
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    
    Code:
    testssl https://h2ohttp2.centminmod.com/flags.html
    
    #########################################################
    testssl v2.3dev  (https://testssl.sh)
    ($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)
    
       This program is free software. Redistribution +
       modification under GPLv2 is permitted.
       USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
    Note: you can only check the server with what is
    available (ciphers/protocols) locally on your machine!
    #########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
    01def0673358:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    Testing now (2015-03-26 21:50) ---> 198.199.94.9:443 (h2ohttp2.centminmod.com) <---
    
    Service detected:       HTTP
    
    --> Testing Protocols
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLSv1      offered
    TLSv1.1    offered
    TLSv1.2    offered (OK)
    SPDY/NPN   spdy/3.1, http/1.1 (advertised)
    
    --> Testing standard cipher lists
    
    Null Cipher              not offered (OK)
    Anonymous NULL Cipher    not offered (OK)
    Anonymous DH Cipher      not offered (OK)
    40 Bit encryption        not offered (OK)
    56 Bit encryption        not offered (OK)
    Export Cipher (general)  not offered (OK)
    Low (<=64 Bit)           not offered (OK)
    DES Cipher               not offered (OK)
    Triple DES Cipher        not offered (OK)
    Medium grade encryption  not offered (OK)
    High grade encryption    offered (OK)
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        server name, renegotiation info, EC point formats, session ticket, status request, heartbeat
    Session Tickets RFC 5077     43200 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256withRSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (works w/o SNI)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
    Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                OCSP stapling offered
    
    --> Testing HTTP Header response
    
    HSTS          --
    HPKP          --
    Server        nginx centminmod
    Application   (no banner at "/flags.html")
    Cookie(s)     (none issued at "/flags.html")
    
    --> Testing specific vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    Renegotiation (CVE 2009-3555)             not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587) =HTTP Compression  NOT ok: uses gzip compression  (only "/flags.html" tested)
    POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
    FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    
    --> Checking RC4 Ciphers
    
    no RC4 ciphers detected (OK)
    
    --> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here
    
    OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256       
    x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256       
    x6b     DHE-RSA-AES256-SHA256          DH         AES        256       
    x39     DHE-RSA-AES256-SHA             DH         AES        256       
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256       
    xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256       
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128       
    xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128       
    x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128       
    x67     DHE-RSA-AES128-SHA256          DH         AES        128       
    x33     DHE-RSA-AES128-SHA             DH         AES        128       
    xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128       
    
    testssl tool check for h2o HTTP/2 SSL over port 8081

    in particular server preferences configured - spdy/4a2 = HTTP/2 ?

    Code:
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2
    
    Code:
    testssl https://h2ohttp2.centminmod.com:8081/flags.html
    
    #########################################################
    testssl v2.3dev  (https://testssl.sh)
    ($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)
    
       This program is free software. Redistribution +
       modification under GPLv2 is permitted.
       USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
    Note: you can only check the server with what is
    available (ciphers/protocols) locally on your machine!
    #########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
    01def0673358:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    Testing now (2015-03-27 01:32) ---> 198.199.94.9:8081 (h2ohttp2.centminmod.com) <---
    
    Service detected:       HTTP
    
    --> Testing Protocols
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLSv1      offered
    TLSv1.1    offered
    TLSv1.2    offered (OK)
    SPDY/NPN   please check manually, response from server was ambigious ...
    
    --> Testing standard cipher lists
    
    Null Cipher              not offered (OK)
    Anonymous NULL Cipher    not offered (OK)
    Anonymous DH Cipher      not offered (OK)
    40 Bit encryption        not offered (OK)
    56 Bit encryption        not offered (OK)
    Export Cipher (general)  not offered (OK)
    Low (<=64 Bit)           not offered (OK)
    DES Cipher               not offered (OK)
    Triple DES Cipher        not offered (OK)
    Medium grade encryption  not offered (OK)
    High grade encryption    offered (OK)
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request
    Session Tickets RFC 5077     300 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256withRSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (works w/o SNI)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
    Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                OCSP stapling offered
    
    --> Testing HTTP Header response
    
    HSTS          --
    HPKP          --
    Server        h2o/1.1.2-alpha1
    Application   (no banner at "/flags.html")
    Cookie(s)     (none issued at "/flags.html")
    
    --> Testing specific vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    Renegotiation (CVE 2009-3555)             not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587) =HTTP Compression  no HTTP compression (OK)  (only "/flags.html" tested)
    POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
    FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    
    --> Checking RC4 Ciphers
    
    no RC4 ciphers detected (OK)
    
    --> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here
    
    OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256         
    x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256         
    x6b     DHE-RSA-AES256-SHA256          DH         AES        256         
    x39     DHE-RSA-AES256-SHA             DH         AES        256         
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256         
    xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256         
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128         
    xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128         
    x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128         
    x67     DHE-RSA-AES128-SHA256          DH         AES        128         
    x33     DHE-RSA-AES128-SHA             DH         AES        128         
    xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128       
    
    testssl tool check for OpenLiteSpeed SSL over port 8099

    in particular server preferences configured

    Code:
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    
    For some reason when it gets to ' Secure Client-Initiated Renegotiation' test it hangs so I had to abort
    Code:
    testssl https://h2ohttp2.centminmod.com:8099/flags.html
    
    #########################################################
    testssl v2.3dev  (https://testssl.sh)
    ($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)
    
       This program is free software. Redistribution +
       modification under GPLv2 is permitted.
       USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
    Note: you can only check the server with what is
    available (ciphers/protocols) locally on your machine!
    #########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
    01def0673358:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    Testing now (2015-03-26 21:56) ---> 198.199.94.9:8099 (h2ohttp2.centminmod.com) <---
    
    Service detected:       HTTP
    
    --> Testing Protocols
    
    SSLv2      offered (NOT ok)  -- 4282 ciphers
    SSLv3      not offered (OK)
    TLSv1      offered
    TLSv1.1    offered
    TLSv1.2    offered (OK)
    SPDY/NPN   h2-14, spdy/3.1, spdy/3, spdy/2, http/1.1 (advertised)
    
    --> Testing standard cipher lists
    
    Null Cipher              not offered (OK)
    Anonymous NULL Cipher    not offered (OK)
    Anonymous DH Cipher      not offered (OK)
    40 Bit encryption        not offered (OK)
    56 Bit encryption        not offered (OK)
    Export Cipher (general)  not offered (OK)
    Low (<=64 Bit)           not offered (OK)
    DES Cipher               not offered (OK)
    Triple DES Cipher        not offered (OK)
    Medium grade encryption  not offered (OK)
    High grade encryption    offered (OK)
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request, heartbeat
    Session Tickets RFC 5077     300 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256withRSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (works w/o SNI)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
    Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                OCSP stapling offered
    
    --> Testing HTTP Header response
    
    failed (HTTP header request stalled)
    HPKP          --
    Server        no "Server" line in header, interesting!
    Application   (no banner at "/flags.html")
    Cookie(s)     (none issued at "/flags.html")
    
    --> Testing specific vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
    CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
    Secure Client-Initiated Renegotiation     ^C
    
     
    Last edited: Mar 27, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    webpagetest.org tests



    6 way comparison via webpagetest.org at San Fransciso location using Cable 5Mbps test @1920x1200 viewport

    Basically from fastest to slowest was as follows
    1. h2o HTTP/2 https
    2. nginx SPDY/3.1 https
    3. openlitespeed HTTP/2 https
    4. h2o non-https
    5. nginx non-https
    6. openlitespeed non-https
    video_compare_1920_00.png

    Individual Summaries

    OpenLiteSpeed HTTP/2 https

    ols_https.png

    Nginx SPDY/3.1 https

    nginx_spdy_https.png

    h2o HTTP/2 https

    h2o_http2_https.png

    OpenLiteSpeed non-https

    ols_http.png

    Nginx non-https

    nginx_http.png

    h2o non-https

    h2o_http.png

    Filmstrip at 0.5s interval

    filmstrip_500ms_00.png

    Filmstrip at 0.1s interval

    filmstrip_100ms_00.png

    filmstrip_100ms_01.png

    Charts

    chart_00.png
    chart_01.png
    chart_02.png
    chart_03.png
    chart_04.png
    chart_05.png
    chart_06.png
    chart_07.png
    chart_08.png
    chart_09.png

    chart_10.png
    chart_11.png
    chart_12.png
    chart_13.png
    chart_14.png
    chart_15.png
    chart_16.png
     
    Last edited: Mar 27, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    3G Mobile webpagetest.org tests



    6 way comparison via webpagetest.org at San Fransciso location using 3G Mobile 1.6Mbps 300ms RTT test @1920x1200 viewport. The benefits of HTTP/2 and SPDY/3.1 based SSL can be clearly seen with lower speed internet connections for total and visual page rendering times despite the higher TTFB and first byte time reported by webpagetest.org due to SSL negotiation overhead.

    Basically from fastest to slowest was as follows
    1. h2o HTTP/2 https
    2. nginx SPDY/3.1 https
    3. openlitespeed HTTP/2 https
    4. h2o non-https
    5. nginx non-https
    6. openlitespeed non-https
    Compared

    compared.png

    Individual Summaries

    OpenLiteSpeed HTTP/2 https

    ols_http2_https.png

    Nginx SPDY/3.1 https

    nginx_spdy_https.png

    h2o HTTP/2 https

    h2o_http2_https.png

    OpenLiteSpeed non-https

    ols_http.png

    Nginx non-https

    nginx_http.png

    h2o non-https

    h2o_http.png

    Filmstrip at 0.5s interval

    filmstrip_500ms_00.png
    filmstrip_500ms_01.png
    filmstrip_500ms_02.png

    Filmstrip at 0.1s interval

    filmstrip_100ms_00.png filmstrip_100ms_01.png filmstrip_100ms_02.png filmstrip_100ms_03.png

    Charts

    chart01.png
    chart02.png
    chart03.png
    chart04.png
    chart05.png
    chart06.png
    chart07.png
    chart08.png
    chart09.png
    chart10.png

    chart11.png
    chart12.png
    chart13.png
    chart14.png
    chart15.png
    chart16.png
    chart17.png
     
    Last edited: Mar 27, 2015
  4. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Nginx PageSpeed Enabled Comparisons



    For this next comparison test I enabled my Centmin Mod's Nginx ngx_pagespeed module integration for Nginx non-https (port 81) and Nginx SPDY/3.1 https (port 444) which is Google's PageSpeed implementation to speed up web sites and workaround all the HTTP/1.1 limitations. Surprisingly, with Nginx paired with ngx_pagespeed it even beats HTTP/2 in terms of page loads. Using 3G Mobile webpagetest.org comparisons tests you can see the dramatic difference !


    Speed Index / Page Load Times
    • nginx spdy/3.1 https + ngx_pagespeed = 2.076s / 3.984s <== ngx_pagespeed + SPDY/3.1 fastest of them all
    • nginx http + ngx_pagespeed = 1.439s / 5.683s <== ngx_pagespeed allowed normal HTTP/1.1 http page load speeds as fast as HTTP/2 and SPDY/3.1 https !
    • openlitespeed http/2 https = 3.052s / 5.768s
    • openlitespeed http = 3.535s / 15.355s
    • h2o http/2 https = 2.236s / 5.033s
    • h2o http = 3.101s / 14.900s
    • nginx spdy/3.1 https = 2.378s / 5.172s
    • nginx http = 3.388s / 15.203s
    [​IMG]

    compared_tn.png

    nginx_spdy_https_pagespeed.png

    nginx_http_pagespeed.png

    Filmstrip at 0.5 seconds interval

    filmstrip_500ms_00.png filmstrip_500ms_01.png filmstrip_500ms_02.png

    Filmstrip at 0.1 seconds interval

    filmstrip_100ms_00.png filmstrip_100ms_01.png filmstrip_100ms_02.png filmstrip_100ms_03.png filmstrip_100ms_04.png filmstrip_100ms_05.png

    Charts show the clearer picture

    chart01.png
    chart02.png
    chart03.png
    chart04.png
    chart05.png
    chart06.png
    chart07.png
    chart08.png

    chart09.png
    chart10.png
    chart11.png

    Nginx + ngx_pagespeed auto inlines and converts smaller images into data uris embedded with html page hence the larger html bytes size :)

    chart12.png

    Nginx + ngx_pagespeed concats css requests, so halved the css requests

    chart13.png

    Nginx + ngx_pagespeed auto minifies and concats css so bytes end up smaller

    chart14.png

    Nginx + ngx_pagespeed auto data uri inlining smaller images ended up reduce actual image request count

    chart15.png

    Nginx + ngx_pagespeed auto converts images to smaller webp format for browsers that support webp as well as to data uris

    chart16.png
     
    Last edited: Mar 28, 2015
  5. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    The specific ngx_pagespeed configuration used for Centmin Mod Nginx Pagespeed benchmarks at https://h2ohttp2.centminmod.com/webpagetests1.html is posted below for those curious.

    Details on my Centmin Mod Nginx ngx_pagespeed integration background is at http://centminmod.com/nginx_ngx_pagespeed.html

    For my /usr/local/nginx/conf/pagespeedadmin.conf nginx include file
    Code:
    #######################################################
    # 1.8.31.2 beta required paths
    # https://developers.google.com/speed/pagespeed/module/admin
    #######################################################
    # 1.9.32.1 beta required change
    # https://community.centminmod.com/threads/how-can-i-disable-it-after-installation.1603/#post-7665
    # add a second pagespeed on; variable 
    # loaded in nginx.conf via pagespeedadmin.conf include file
    pagespeed on;
    #######################################################
    pagespeed FileCachePath /var/ngx_pagespeed_cache;
    pagespeed StatisticsPath /ngx_pagespeed_statistics;
    pagespeed GlobalStatisticsPath /ngx_pagespeed_global_statistics;
    pagespeed MessagesPath /ngx_pagespeed_message;
    pagespeed ConsolePath /pagespeed_console;
    pagespeed AdminPath /pagespeed_admin;
    pagespeed GlobalAdminPath /pagespeed_global_admin;
    
    #######################################################
    # Set it to 0 if you want to disable this feature.
     pagespeed MessageBufferSize 100000;
    
    #######################################################
    # https://developers.google.com/speed/pagespeed/module/system#tune_thread
    # pagespeed NumRewriteThreads 4;
    # pagespeed NumExpensiveRewriteThreads 4;
    
    #######################################################
    # https://developers.google.com/speed/pagespeed/module/system#image_rewrite_max
    # Bound the number of images that can be rewritten at any one time; this
    # avoids overloading the CPU.  Set this to 0 to remove the bound.
    #
     pagespeed ImageMaxRewritesAtOnce 2;
    
    For my /usr/local/nginx/conf/pagespeed.conf nginx include file in vhost
    Code:
    pagespeed on;
    
    pagespeed Domain https://h2ohttp2.centminmod.com;
    pagespeed LoadFromFile "http://h2ohttp2.centminmod.com" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
    pagespeed LoadFromFile "https://h2ohttp2.centminmod.com" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
    
    pagespeed Domain http://h2ohttp2.centminmod.com:81;
    pagespeed Domain https://h2ohttp2.centminmod.com:444;
    pagespeed LoadFromFile "http://h2ohttp2.centminmod.com:81" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
    pagespeed LoadFromFile "https://h2ohttp2.centminmod.com:444" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
    
    pagespeed RewriteDeadlinePerFlushMs 100;
    
    pagespeed InPlaceResourceOptimization off;
    pagespeed JpegRecompressionQualityForSmallScreens 60;
    pagespeed WebpRecompressionQualityForSmallScreens 60;
    
    #######################################################
    # File cache settings 
    ######################################
    # needs to exist and be writable by nginx
    
    # pagespeed FileCacheSizeKb          102400;
    # pagespeed FileCacheCleanIntervalMs 3600000;
    # pagespeed FileCacheInodeLimit      500000;
    
    #######################################################
    # Set it to 0 if you want to disable this feature.
    # pagespeed MessageBufferSize 100000;
    
    #######################################################
    # By default, ngx_pagespeed adds an X-PageSpeed header with a value of the version of 
    # ngx_pagespeed being used. This directive lets you specify the value to use instead:
    # pagespeed XHeaderValue "ngx_pagespeed";
    
    #######################################################
    # let's speed up PageSpeed by storing it in the super duper fast memcached
    # Ensure Memcached server installed http://centminmod.com/memcached.html
    # default install for centmin mod is on port 11211, so localhost:11211 is correct
    # uncomment - remove hash # in front of below 2 lines to enable
    # timeout set at 100 milliseconds
      pagespeed MemcachedThreads 1;
      pagespeed MemcachedServers "localhost:11211";
      pagespeed MemcachedTimeoutUs 100000;
    
    #######################################################
    ## https://developers.google.com/speed/pagespeed/module/admin#virtual-hosts-and-stats
    ######################################
    # pagespeed UsePerVhostStatistics on;
    
    #######################################################
    ## 1.7.30.1 beta defaults
    ######################################
    pagespeed PreserveUrlRelativity on;
    pagespeed MaxCombinedCssBytes -1;
    pagespeed ImageResolutionLimitBytes 16777216;
    # pagespeed EnableFilters inline_google_font_css;
    
    #######################################################
    ## 1.6.29.3 beta defaults
    ######################################
    pagespeed AvoidRenamingIntrospectiveJavascript on;
    pagespeed ImageInlineMaxBytes 3072;
    pagespeed CssImageInlineMaxBytes 0;
    pagespeed MaxInlinedPreviewImagesIndex -1;
    pagespeed MinImageSizeLowResolutionBytes 3072;
    
    #######################################################
    ## ngx_pagespeed filters settings below ##
    ######################################
    
      # show half the users an optimized site, half the regular site
      # change UA-XXXXXXXXXX-1 to your GA unique id
      # uncomment - remove hash # in front of below 5 lines to enable
    #  pagespeed RunExperiment on;
    #  pagespeed AnalyticsID UA-XXXXXXXXXX-1;
    #  pagespeed ExperimentVariable 1;
    #  pagespeed ExperimentSpec "id=1;percent=50;level=CoreFilters;enabled=collapse_whitespace,remove_comments;";
    #  pagespeed ExperimentSpec "id=2;percent=50";
    
      # Filter settings
      # filters outlined at http://ngxpagespeed.com/ngx_pagespeed_example/
      pagespeed RewriteLevel CoreFilters;
      pagespeed EnableFilters collapse_whitespace,remove_comments;
    
      # make_google_analytics_async
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-make-google-analytics-async
    #  pagespeed EnableFilters make_google_analytics_async;
    
      # prioritize_critical_css
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-prioritize-critical-css
       pagespeed EnableFilters prioritize_critical_css;
    
      # move_css_to_head
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-to-head
      pagespeed EnableFilters move_css_to_head;
    
      # move_css_above_scripts
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-above-scripts
      pagespeed EnableFilters move_css_above_scripts;
    
      # combine_css 
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-combine
      pagespeed EnableFilters combine_css;
    
       # Uncomment this if you want to prevent mod_pagespeed from combining files
       # (e.g. CSS files) across paths
       #
    #  pagespeed CombineAcrossPaths off;
    
      # combine_javascript
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-js-combine
      pagespeed EnableFilters combine_javascript;
      pagespeed MaxCombinedJsBytes 122900;
    
      # extend_cache
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-cache-extend
    #  pagespeed EnableFilters extend_cache;
    
      # rewrite_css
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-rewrite
      pagespeed EnableFilters rewrite_css;
    
      # rewrite_javascript
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-js-minify
      pagespeed EnableFilters rewrite_javascript;
    
      # inline_preview_images
      # https://developers.google.com/speed/pagespeed/module/filter-inline-preview-images
      pagespeed EnableFilters inline_preview_images;
    
      # lazyload_images
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-lazyload-images
      pagespeed EnableFilters lazyload_images;
    
      # rewrite_images
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-image-optimize
      pagespeed EnableFilters rewrite_images;
    #  pagespeed DisableFilters rewrite_images;
       pagespeed DisableFilters recompress_images;
    #  pagespeed DisableFilters convert_png_to_jpeg;
       pagespeed DisableFilters extend_cache_images;
      pagespeed EnableFilters convert_png_to_jpeg;
      pagespeed EnableFilters convert_jpeg_to_webp;
      pagespeed EnableFilters convert_to_webp_lossless;
    
      # sprite_images
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-image-sprite
    # pagespeed EnableFilters rewrite_css,sprite_images;
    
      # Bound the number of images that can be rewritten at any one time; this
      # avoids overloading the CPU.  Set this to 0 to remove the bound.
      #
    #  pagespeed ImageMaxRewritesAtOnce 2;
    
      # insert_dns_prefetch
      # https://developers.google.com/speed/docs/mod_pagespeed/filter-insert-dns-prefetch
    #  pagespeed EnableFilters insert_dns_prefetch;
    
    #######################################################
    
     
Thread Status:
Not open for further replies.