SSL HTTP/2 - h2o vs OpenLiteSpeed vs Nginx SPDY/3.1

eva2000 · Mar 27, 2015

HTTP/2 and SPDY/3.1 Test Configurations

Continuing previous tests but this time added OpenLiteSpeed web server to the mix as it also supports SPDY and HTTP/2.

I am using my World Flags Demo site template to test Nginx SPDY/3.1 SSL (centmin mod config) vs h2o HTTP/2 SSL vs OpenLiteSpeed 1.4.6 HTTP/2 vs non-https for Nginx, h2o and OpenLiteSpeed served files using 6 different setups as outlined below.

Nginx http 80 = http://h2ohttp2.centminmod.com/flags.html
Nginx https SPDY/3.1 443 = https://h2ohttp2.centminmod.com/flags.html
h2o http 80 = http://h2ohttp2.centminmod.com:8080/flags.html
h2o HTTP/2 8081 = https://h2ohttp2.centminmod.com:8081/flags.html
OpenLiteSpeed 1.4.6 http 8098 = http://h2ohttp2.centminmod.com:8098/flags.html
OpenLiteSpeed 1.4.6 HTTP/2 8099 = https://h2ohttp2.centminmod.com:8099/flags.html

H2O HTTP/2 server installed via h2o_installer. Nginx installed via Centmin Mod. OpenLiteSpeed installed via up coming integration work I am doing for my Centmin Mod LEMP web stack. Centmin Mod web stack currently supports just Nginx but eventually plan to have integrated support for Apache 2.4, OpenLiteSpeed and h2o servers

I will be using webpagetest.org and various other tools, including nghttp2 C library's bundled h2load HTTP/2 load and stress testing tool. Think of h2load is to HTTP/2 servers as apachebench, wrk, siege load tests is to HTTP/1 and HTTP/1.1 load testing.

Nginx & h2o Server Configurations

1 cpu core KVM DigitalOcean VPS
512MB RAM
25GB SSD
CentOS 6.6 32bit
Centmin Mod .08 beta02
San Francisco location

nghttp2 client checks

Using nghttp2 client, nghttp which supports HTTP/2 to check what protocols are offered by Nginx SPDY/3.1 https, h2o HTTP/2 https and OpenLiteSpeed HTTP/2 https.

Nginx SPDY/3.1 supports spdy/3.1 and http/1.1

Code:

nghttp -nv https://h2ohttp2.centminmod.com/flags.html
[  0.484] Connected
[  0.563][NPN] server offers:
          * spdy/3.1
          * http/1.1
[ERROR] HTTP/2 protocol was not selected. (nghttp2 expects h2-14)

h2o HTTP/2 supports HTTP/2 protocols and drafts - h2, h2-14, and h2-16

Code:

nghttp -nv https://h2ohttp2.centminmod.com:8081/flags.html
[  0.131] Connected
[  0.247][NPN] server offers:
          * h2
          * h2-16
          * h2-14
The negotiated protocol: h2

OpenLiteSpeed 1.4.6 supports HTTP/2 protocols and drafts - h2-14 and spdy/2, spdy/3, spdy/3.1 and http/1.1

Code:

nghttp -nv https://h2ohttp2.centminmod.com:8099/flags.html
[  0.281] Connected
[  0.351][NPN] server offers:
          * h2-14
          * spdy/3.1
          * spdy/3
          * spdy/2
          * http/1.1
The negotiated protocol: h2-14

cipherscan tests

I made sure to configure all 3 servers with exact same cipher preferences. Also all 3 servers are compiled against OpenSSL 1.0.2a-chacha patched build for chacha20_poly1305 cipher support for Chrome/Opera browsers

Nginx SPDY/3.1 port 443

Code:

cipherscan h2ohttp2.centminmod.com:443              
....................
Target: h2ohttp2.centminmod.com:443

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True

OCSP stapling: supported
Server side cipher ordering

h2o HTTP/2 port 8081

Code:

cipherscan h2ohttp2.centminmod.com:8081
....................
Target: h2ohttp2.centminmod.com:8081

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True

OCSP stapling: supported
Server side cipher ordering

OpenLiteSpeed 1.4.6 port 8099

Code:

cipherscan h2ohttp2.centminmod.com:8099
....................
Target: h2ohttp2.centminmod.com:8099

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,1024bits
14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True

OCSP stapling: supported
Server side cipher ordering

testssl check

testssl is another tool bundled in my nghttp2 Ubuntu docker image

testssl tool check for Nginx SPDY/3.1 SSL

in particular server preferences configured

Code:

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1

Code:

testssl https://h2ohttp2.centminmod.com/flags.html

#########################################################
testssl v2.3dev  (https://testssl.sh)
($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)

   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Note: you can only check the server with what is
available (ciphers/protocols) locally on your machine!
#########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
01def0673358:/usr/local/http2-15/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")

Testing now (2015-03-26 21:50) ---> 198.199.94.9:443 (h2ohttp2.centminmod.com) <---

Service detected:       HTTP

--> Testing Protocols

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLSv1      offered
TLSv1.1    offered
TLSv1.2    offered (OK)
SPDY/NPN   spdy/3.1, http/1.1 (advertised)

--> Testing standard cipher lists

Null Cipher              not offered (OK)
Anonymous NULL Cipher    not offered (OK)
Anonymous DH Cipher      not offered (OK)
40 Bit encryption        not offered (OK)
56 Bit encryption        not offered (OK)
Export Cipher (general)  not offered (OK)
Low (<=64 Bit)           not offered (OK)
DES Cipher               not offered (OK)
Triple DES Cipher        not offered (OK)
Medium grade encryption  not offered (OK)
High grade encryption    offered (OK)

--> Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1

--> Testing server defaults (Server Hello)

TLS server extensions        server name, renegotiation info, EC point formats, session ticket, status request, heartbeat
Session Tickets RFC 5077     43200 seconds
Server key size              2048 bit
Signature Algorithm          SHA256withRSA
Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                              SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
Common Name (CN)             *.centminmod.com (works w/o SNI)
subjectAltName (SAN)         *.centminmod.com centminmod.com
Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
# of certificates provided   3
Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                OCSP stapling offered

--> Testing HTTP Header response

HSTS          --
HPKP          --
Server        nginx centminmod
Application   (no banner at "/flags.html")
Cookie(s)     (none issued at "/flags.html")

--> Testing specific vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK)
CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
Renegotiation (CVE 2009-3555)             not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
BREACH (CVE-2013-3587) =HTTP Compression  NOT ok: uses gzip compression  (only "/flags.html" tested)
POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)

--> Checking RC4 Ciphers

no RC4 ciphers detected (OK)

--> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here

OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256       
x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256       
x6b     DHE-RSA-AES256-SHA256          DH         AES        256       
x39     DHE-RSA-AES256-SHA             DH         AES        256       
xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256       
xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256       
xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128       
xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128       
x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128       
x67     DHE-RSA-AES128-SHA256          DH         AES        128       
x33     DHE-RSA-AES128-SHA             DH         AES        128       
xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128

testssl tool check for h2o HTTP/2 SSL over port 8081

in particular server preferences configured - spdy/4a2 = HTTP/2 ?

Code:

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2

Code:

testssl https://h2ohttp2.centminmod.com:8081/flags.html

#########################################################
testssl v2.3dev  (https://testssl.sh)
($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)

   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Note: you can only check the server with what is
available (ciphers/protocols) locally on your machine!
#########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
01def0673358:/usr/local/http2-15/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")

Testing now (2015-03-27 01:32) ---> 198.199.94.9:8081 (h2ohttp2.centminmod.com) <---

Service detected:       HTTP

--> Testing Protocols

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLSv1      offered
TLSv1.1    offered
TLSv1.2    offered (OK)
SPDY/NPN   please check manually, response from server was ambigious ...

--> Testing standard cipher lists

Null Cipher              not offered (OK)
Anonymous NULL Cipher    not offered (OK)
Anonymous DH Cipher      not offered (OK)
40 Bit encryption        not offered (OK)
56 Bit encryption        not offered (OK)
Export Cipher (general)  not offered (OK)
Low (<=64 Bit)           not offered (OK)
DES Cipher               not offered (OK)
Triple DES Cipher        not offered (OK)
Medium grade encryption  not offered (OK)
High grade encryption    offered (OK)

--> Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2

--> Testing server defaults (Server Hello)

TLS server extensions        renegotiation info, EC point formats, session ticket, status request
Session Tickets RFC 5077     300 seconds
Server key size              2048 bit
Signature Algorithm          SHA256withRSA
Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                              SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
Common Name (CN)             *.centminmod.com (works w/o SNI)
subjectAltName (SAN)         *.centminmod.com centminmod.com
Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
# of certificates provided   3
Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                OCSP stapling offered

--> Testing HTTP Header response

HSTS          --
HPKP          --
Server        h2o/1.1.2-alpha1
Application   (no banner at "/flags.html")
Cookie(s)     (none issued at "/flags.html")

--> Testing specific vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK)
CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
Renegotiation (CVE 2009-3555)             not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
BREACH (CVE-2013-3587) =HTTP Compression  no HTTP compression (OK)  (only "/flags.html" tested)
POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)

--> Checking RC4 Ciphers

no RC4 ciphers detected (OK)

--> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here

OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256         
x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256         
x6b     DHE-RSA-AES256-SHA256          DH         AES        256         
x39     DHE-RSA-AES256-SHA             DH         AES        256         
xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256         
xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256         
xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128         
xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128         
x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128         
x67     DHE-RSA-AES128-SHA256          DH         AES        128         
x33     DHE-RSA-AES128-SHA             DH         AES        128         
xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128

testssl tool check for OpenLiteSpeed SSL over port 8099

in particular server preferences configured

Code:

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1

For some reason when it gets to ' Secure Client-Initiated Renegotiation' test it hangs so I had to abort

Code:

testssl https://h2ohttp2.centminmod.com:8099/flags.html

#########################################################
testssl v2.3dev  (https://testssl.sh)
($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)

   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Note: you can only check the server with what is
available (ciphers/protocols) locally on your machine!
#########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2b-dev)" [~177 ciphers] on
01def0673358:/usr/local/http2-15/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")

Testing now (2015-03-26 21:56) ---> 198.199.94.9:8099 (h2ohttp2.centminmod.com) <---

Service detected:       HTTP

--> Testing Protocols

SSLv2      offered (NOT ok)  -- 4282 ciphers
SSLv3      not offered (OK)
TLSv1      offered
TLSv1.1    offered
TLSv1.2    offered (OK)
SPDY/NPN   h2-14, spdy/3.1, spdy/3, spdy/2, http/1.1 (advertised)

--> Testing standard cipher lists

Null Cipher              not offered (OK)
Anonymous NULL Cipher    not offered (OK)
Anonymous DH Cipher      not offered (OK)
40 Bit encryption        not offered (OK)
56 Bit encryption        not offered (OK)
Export Cipher (general)  not offered (OK)
Low (<=64 Bit)           not offered (OK)
DES Cipher               not offered (OK)
Triple DES Cipher        not offered (OK)
Medium grade encryption  not offered (OK)
High grade encryption    offered (OK)

--> Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
Negotiated cipher per proto
     ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
     ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1

--> Testing server defaults (Server Hello)

TLS server extensions        renegotiation info, EC point formats, session ticket, status request, heartbeat
Session Tickets RFC 5077     300 seconds
Server key size              2048 bit
Signature Algorithm          SHA256withRSA
Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                              SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
Common Name (CN)             *.centminmod.com (works w/o SNI)
subjectAltName (SAN)         *.centminmod.com centminmod.com
Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
# of certificates provided   3
Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                OCSP stapling offered

--> Testing HTTP Header response

failed (HTTP header request stalled)
HPKP          --
Server        no "Server" line in header, interesting!
Application   (no banner at "/flags.html")
Cookie(s)     (none issued at "/flags.html")

--> Testing specific vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
Secure Client-Initiated Renegotiation     ^C

eva2000 · Mar 27, 2015

webpagetest.org tests

6 way comparison via webpagetest.org at San Fransciso location using Cable 5Mbps test @1920x1200 viewport

Basically from fastest to slowest was as follows

h2o HTTP/2 https

nginx SPDY/3.1 https

openlitespeed HTTP/2 https

h2o non-https

nginx non-https

openlitespeed non-https

Individual Summaries

OpenLiteSpeed HTTP/2 https

Nginx SPDY/3.1 https

h2o HTTP/2 https

OpenLiteSpeed non-https

Nginx non-https

h2o non-https

Filmstrip at 0.5s interval

Filmstrip at 0.1s interval

Charts

eva2000 · Mar 27, 2015

3G Mobile webpagetest.org tests

6 way comparison via webpagetest.org at San Fransciso location using 3G Mobile 1.6Mbps 300ms RTT test @1920x1200 viewport. The benefits of HTTP/2 and SPDY/3.1 based SSL can be clearly seen with lower speed internet connections for total and visual page rendering times despite the higher TTFB and first byte time reported by webpagetest.org due to SSL negotiation overhead.

Basically from fastest to slowest was as follows

h2o HTTP/2 https

nginx SPDY/3.1 https

openlitespeed HTTP/2 https

h2o non-https

nginx non-https

openlitespeed non-https

Compared

Individual Summaries

OpenLiteSpeed HTTP/2 https

Nginx SPDY/3.1 https

h2o HTTP/2 https

OpenLiteSpeed non-https

Nginx non-https

h2o non-https

Filmstrip at 0.5s interval

Filmstrip at 0.1s interval

Charts

eva2000 · Mar 27, 2015

Nginx PageSpeed Enabled Comparisons

For this next comparison test I enabled my Centmin Mod's Nginx ngx_pagespeed module integration for Nginx non-https (port 81) and Nginx SPDY/3.1 https (port 444) which is Google's PageSpeed implementation to speed up web sites and workaround all the HTTP/1.1 limitations. Surprisingly, with Nginx paired with ngx_pagespeed it even beats HTTP/2 in terms of page loads. Using 3G Mobile webpagetest.org comparisons tests you can see the dramatic difference !

ngx_pagespeed speeds up your site and reduces page load time. This open-source nginx server module automatically applies web performance best practices to pages, and associated assets (CSS, JavaScript, images) without requiring that you modify your existing content or workflow.
Click to expand...

Nginx http 80 = http://h2ohttp2.centminmod.com/flags.html

Nginx https SPDY/3.1 443 = https://h2ohttp2.centminmod.com/flags.html

Nginx + ngx_pagespeed http 81 = http://h2ohttp2.centminmod.com:81/flags.html

Nginx + ngx_pagespeed https SPDY/3.1 444 = https://h2ohttp2.centminmod.com:444/flags.html

h2o http 80 = http://h2ohttp2.centminmod.com:8080/flags.html

h2o HTTP/2 8081 = https://h2ohttp2.centminmod.com:8081/flags.html

OpenLiteSpeed 1.4.6 http 8098 = http://h2ohttp2.centminmod.com:8098/flags.html

OpenLiteSpeed 1.4.6 HTTP/2 8099 = https://h2ohttp2.centminmod.com:8099/flags.html

Speed Index / Page Load Times

nginx spdy/3.1 https + ngx_pagespeed = 2.076s / 3.984s <== ngx_pagespeed + SPDY/3.1 fastest of them all

nginx http + ngx_pagespeed = 1.439s / 5.683s <== ngx_pagespeed allowed normal HTTP/1.1 http page load speeds as fast as HTTP/2 and SPDY/3.1 https !

openlitespeed http/2 https = 3.052s / 5.768s

openlitespeed http = 3.535s / 15.355s

h2o http/2 https = 2.236s / 5.033s

h2o http = 3.101s / 14.900s

nginx spdy/3.1 https = 2.378s / 5.172s

nginx http = 3.388s / 15.203s

Filmstrip at 0.5 seconds interval

Filmstrip at 0.1 seconds interval

Charts show the clearer picture

Nginx + ngx_pagespeed auto inlines and converts smaller images into data uris embedded with html page hence the larger html bytes size

Nginx + ngx_pagespeed concats css requests, so halved the css requests

Nginx + ngx_pagespeed auto minifies and concats css so bytes end up smaller

Nginx + ngx_pagespeed auto data uri inlining smaller images ended up reduce actual image request count

Nginx + ngx_pagespeed auto converts images to smaller webp format for browsers that support webp as well as to data uris

eva2000 · Apr 11, 2015

The specific ngx_pagespeed configuration used for Centmin Mod Nginx Pagespeed benchmarks at https://h2ohttp2.centminmod.com/webpagetests1.html is posted below for those curious.

Details on my Centmin Mod Nginx ngx_pagespeed integration background is at http://centminmod.com/nginx_ngx_pagespeed.html

For my /usr/local/nginx/conf/pagespeedadmin.conf nginx include file

Code:

#######################################################
# 1.8.31.2 beta required paths
# https://developers.google.com/speed/pagespeed/module/admin
#######################################################
# 1.9.32.1 beta required change
# https://community.centminmod.com/threads/how-can-i-disable-it-after-installation.1603/#post-7665
# add a second pagespeed on; variable 
# loaded in nginx.conf via pagespeedadmin.conf include file
pagespeed on;
#######################################################
pagespeed FileCachePath /var/ngx_pagespeed_cache;
pagespeed StatisticsPath /ngx_pagespeed_statistics;
pagespeed GlobalStatisticsPath /ngx_pagespeed_global_statistics;
pagespeed MessagesPath /ngx_pagespeed_message;
pagespeed ConsolePath /pagespeed_console;
pagespeed AdminPath /pagespeed_admin;
pagespeed GlobalAdminPath /pagespeed_global_admin;

#######################################################
# Set it to 0 if you want to disable this feature.
 pagespeed MessageBufferSize 100000;

#######################################################
# https://developers.google.com/speed/pagespeed/module/system#tune_thread
# pagespeed NumRewriteThreads 4;
# pagespeed NumExpensiveRewriteThreads 4;

#######################################################
# https://developers.google.com/speed/pagespeed/module/system#image_rewrite_max
# Bound the number of images that can be rewritten at any one time; this
# avoids overloading the CPU.  Set this to 0 to remove the bound.
#
 pagespeed ImageMaxRewritesAtOnce 2;

For my /usr/local/nginx/conf/pagespeed.conf nginx include file in vhost

Code:

pagespeed on;

pagespeed Domain https://h2ohttp2.centminmod.com;
pagespeed LoadFromFile "http://h2ohttp2.centminmod.com" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
pagespeed LoadFromFile "https://h2ohttp2.centminmod.com" "/home/nginx/domains/h2ohttp2.centminmod.com/public";

pagespeed Domain http://h2ohttp2.centminmod.com:81;
pagespeed Domain https://h2ohttp2.centminmod.com:444;
pagespeed LoadFromFile "http://h2ohttp2.centminmod.com:81" "/home/nginx/domains/h2ohttp2.centminmod.com/public";
pagespeed LoadFromFile "https://h2ohttp2.centminmod.com:444" "/home/nginx/domains/h2ohttp2.centminmod.com/public";

pagespeed RewriteDeadlinePerFlushMs 100;

pagespeed InPlaceResourceOptimization off;
pagespeed JpegRecompressionQualityForSmallScreens 60;
pagespeed WebpRecompressionQualityForSmallScreens 60;

#######################################################
# File cache settings 
######################################
# needs to exist and be writable by nginx

# pagespeed FileCacheSizeKb          102400;
# pagespeed FileCacheCleanIntervalMs 3600000;
# pagespeed FileCacheInodeLimit      500000;

#######################################################
# Set it to 0 if you want to disable this feature.
# pagespeed MessageBufferSize 100000;

#######################################################
# By default, ngx_pagespeed adds an X-PageSpeed header with a value of the version of 
# ngx_pagespeed being used. This directive lets you specify the value to use instead:
# pagespeed XHeaderValue "ngx_pagespeed";

#######################################################
# let's speed up PageSpeed by storing it in the super duper fast memcached
# Ensure Memcached server installed http://centminmod.com/memcached.html
# default install for centmin mod is on port 11211, so localhost:11211 is correct
# uncomment - remove hash # in front of below 2 lines to enable
# timeout set at 100 milliseconds
  pagespeed MemcachedThreads 1;
  pagespeed MemcachedServers "localhost:11211";
  pagespeed MemcachedTimeoutUs 100000;

#######################################################
## https://developers.google.com/speed/pagespeed/module/admin#virtual-hosts-and-stats
######################################
# pagespeed UsePerVhostStatistics on;

#######################################################
## 1.7.30.1 beta defaults
######################################
pagespeed PreserveUrlRelativity on;
pagespeed MaxCombinedCssBytes -1;
pagespeed ImageResolutionLimitBytes 16777216;
# pagespeed EnableFilters inline_google_font_css;

#######################################################
## 1.6.29.3 beta defaults
######################################
pagespeed AvoidRenamingIntrospectiveJavascript on;
pagespeed ImageInlineMaxBytes 3072;
pagespeed CssImageInlineMaxBytes 0;
pagespeed MaxInlinedPreviewImagesIndex -1;
pagespeed MinImageSizeLowResolutionBytes 3072;

#######################################################
## ngx_pagespeed filters settings below ##
######################################

  # show half the users an optimized site, half the regular site
  # change UA-XXXXXXXXXX-1 to your GA unique id
  # uncomment - remove hash # in front of below 5 lines to enable
#  pagespeed RunExperiment on;
#  pagespeed AnalyticsID UA-XXXXXXXXXX-1;
#  pagespeed ExperimentVariable 1;
#  pagespeed ExperimentSpec "id=1;percent=50;level=CoreFilters;enabled=collapse_whitespace,remove_comments;";
#  pagespeed ExperimentSpec "id=2;percent=50";

  # Filter settings
  # filters outlined at http://ngxpagespeed.com/ngx_pagespeed_example/
  pagespeed RewriteLevel CoreFilters;
  pagespeed EnableFilters collapse_whitespace,remove_comments;

  # make_google_analytics_async
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-make-google-analytics-async
#  pagespeed EnableFilters make_google_analytics_async;

  # prioritize_critical_css
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-prioritize-critical-css
   pagespeed EnableFilters prioritize_critical_css;

  # move_css_to_head
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-to-head
  pagespeed EnableFilters move_css_to_head;

  # move_css_above_scripts
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-above-scripts
  pagespeed EnableFilters move_css_above_scripts;

  # combine_css 
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-combine
  pagespeed EnableFilters combine_css;

   # Uncomment this if you want to prevent mod_pagespeed from combining files
   # (e.g. CSS files) across paths
   #
#  pagespeed CombineAcrossPaths off;

  # combine_javascript
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-js-combine
  pagespeed EnableFilters combine_javascript;
  pagespeed MaxCombinedJsBytes 122900;

  # extend_cache
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-cache-extend
#  pagespeed EnableFilters extend_cache;

  # rewrite_css
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-css-rewrite
  pagespeed EnableFilters rewrite_css;

  # rewrite_javascript
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-js-minify
  pagespeed EnableFilters rewrite_javascript;

  # inline_preview_images
  # https://developers.google.com/speed/pagespeed/module/filter-inline-preview-images
  pagespeed EnableFilters inline_preview_images;

  # lazyload_images
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-lazyload-images
  pagespeed EnableFilters lazyload_images;

  # rewrite_images
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-image-optimize
  pagespeed EnableFilters rewrite_images;
#  pagespeed DisableFilters rewrite_images;
   pagespeed DisableFilters recompress_images;
#  pagespeed DisableFilters convert_png_to_jpeg;
   pagespeed DisableFilters extend_cache_images;
  pagespeed EnableFilters convert_png_to_jpeg;
  pagespeed EnableFilters convert_jpeg_to_webp;
  pagespeed EnableFilters convert_to_webp_lossless;

  # sprite_images
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-image-sprite
# pagespeed EnableFilters rewrite_css,sprite_images;

  # Bound the number of images that can be rewritten at any one time; this
  # avoids overloading the CPU.  Set this to 0 to remove the bound.
  #
#  pagespeed ImageMaxRewritesAtOnce 2;

  # insert_dns_prefetch
  # https://developers.google.com/speed/docs/mod_pagespeed/filter-insert-dns-prefetch
#  pagespeed EnableFilters insert_dns_prefetch;

#######################################################

Log in / Register

Forums

Want to subscribe to topics you're interested in?

SSL HTTP/2 - h2o vs OpenLiteSpeed vs Nginx SPDY/3.1

eva2000 Administrator Staff Member

HTTP/2 and SPDY/3.1 Test Configurations

Nginx & h2o Server Configurations

nghttp2 client checks

cipherscan tests

testssl check

eva2000 Administrator Staff Member

webpagetest.org tests

eva2000 Administrator Staff Member

3G Mobile webpagetest.org tests

eva2000 Administrator Staff Member

Nginx PageSpeed Enabled Comparisons

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

SSL HTTP/2 - h2o vs OpenLiteSpeed vs Nginx SPDY/3.1

eva2000 Administrator Staff Member

HTTP/2 and SPDY/3.1 Test Configurations

Nginx & h2o Server Configurations

nghttp2 client checks

cipherscan tests

testssl check

eva2000 Administrator Staff Member

webpagetest.org tests

eva2000 Administrator Staff Member

3G Mobile webpagetest.org tests

eva2000 Administrator Staff Member

Nginx PageSpeed Enabled Comparisons

eva2000 Administrator Staff Member

.