Join the community today
Register Now

Featured SSL Nginx SPDY/3.1 vs h2o HTTP/2 vs non-https benchmarks & tests

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 22, 2015.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5
    Ever since Google announced dropping SPDY for HTTP/2, I've started looking at HTTP/2 testing. For HTTP/2 testing, I am using h2o HTTP/2 static file and reverse proxy server (and also OpenLiteSpeed). Nginx has yet to fully implement HTTP/2 but they have outlined their plans for this year for Nginx HTTP/2 support How NGINX Plans to Support HTTP/2.. Update: Added OpenLiteSpeed web server to the mix which supports HTTP/2 as well SSL - HTTP/2 - h2o vs OpenLiteSpeed vs Nginx SPDY/3.1 :D

    For folks confused with all the info, charts etc, the basic take away from below tests is SSL is not slow compared to non-SSL if it's deployed using either SPDY/3.1 SSL or HTTP/2 over SSL and that HTTP/2 will end up faster than SPDY/3.1.

    HTTP/2 and SPDY/3.1 Test Configurations



    I am using my World Flags Demo site template to test Nginx SPDY/3.1 SSL vs h2o HTTP/2 SSL vs non-https for both Nginx & h2o served files using 4 different setups as outlined below.
    H2O HTTP/2 server installed via h2o_installer. Nginx installed via Centmin Mod.

    I will be using webpagetest.org and various other tools, including nghttp2 C library's bundled h2load HTTP/2 load and stress testing tool. Think of h2load is to HTTP/2 servers as apachebench, wrk, siege load tests is to HTTP/1 and HTTP/1.1 load testing.

    Nginx & h2o Server Configurations


    • 1 cpu core KVM DigitalOcean VPS
    • 512MB RAM
    • 25GB SSD
    • CentOS 6.6 32bit
    • Centmin Mod .08 beta02
    • San Francisco location

    WebpageTest



    For very first test using webpagetest San Franciso location I set custom test viewport size to 1920x1080 instead of default 1024x768 that webpagetest uses so that webpagetest filmstrip view can properly display a comparison of the World flags loading progress over time.

    Individual summaries

    h2o non-https

    summary_h2o_non-https_00.png

    Nginx non-https

    summary_nginx_non-https_00.png

    Nginx SPDY/3.1 https

    summary_nginx_spdy_00.png

    h2o HTTP/2 https

    summary_h2o_http2_https_00.png

    FYI, typo in below should read non-https not non-http :)

    video_compare_1920_00_tn.png

    filmstrip view at 0.5 second intervals

    As you can clearly see h2o HTTP/2 over https was fastest, followed by Nginx SPDY/3.1, then the 0.5 second interval doesn't show it but non-https Nginx beats non-https h2o server (probably due to Centmin Mod Nginx's tuned settings). Only started learning about h2o server so much to tune :)

    filmstrip_1920_500ms_intervals_00.png

    filmstrip view at 0.1 second intervals

    At 0.1 second intervals better illustrates the full page load speed difference between Nginx SPDY/3.1 vs h2o HTTP/2 vs non-https served from Nginx and h2o. Clearly shows h2o HTTP/2 over https winning by a noticeable difference for this World flags demo.

    filmstrip_1920_00.png
    filmstrip_1920_01.png
    filmstrip_1920_02.png
    filmstrip_1920_03.png

    webpagetest comparison charts

    filmstrip_charts_00.png
    filmstrip_charts_01.png

    filmstrip_charts_02.png
    filmstrip_charts_03.png
     
    Last edited: Mar 27, 2015
    • Like Like x 3
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5
    First post webpagetest was with 5Mbps cable speed. This time for Nginx SPDY/3.1 vs h2o HTTP/2 vs non-https using webpagetest FIOS 20Mbps speed and 1920x1200 viewport.

    video_compare_1920_00_tn.png
    individual summaries

    summary_h2o_http2_https_00.png
    summary_nginx_spdy_00.png
    summary_h2o_non-https_00.png
    summary_nginx_non-https_00.png
    Filmstrip at 0.5 second interval

    filmstrip_1920_500ms_intervals_00.png

    Filmstrip at 0.1 seconds interval

    filmstrip_1920_00.png
    filmstrip_1920_01.png
    filmstrip_1920_02.png

    filmstrip_charts_00.png
    filmstrip_charts_01.png

    filmstrip_charts_02.png
    filmstrip_charts_03.png

    Curl headers



    Curl headers for the 4 configurations

    curl over HTTP/1.1 for Nginx non-https
    Code:
    curl -I http://h2ohttp2.centminmod.com/flags.html
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Mon, 23 Mar 2015 10:11:39 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 62307
    Last-Modified: Sun, 22 Mar 2015 08:32:55 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "550e7e37-f363"
    Expires: Thu, 23 Apr 2015 10:11:39 GMT
    Cache-Control: max-age=2678400
    Cache-Control: public, must-revalidate, proxy-revalidate
    Accept-Ranges: bytes
    
    curl over HTTP/1.1 for Nginx SPDY/3.1
    Code:
    curl -I https://h2ohttp2.centminmod.com/flags.html
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Mon, 23 Mar 2015 10:11:50 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 62307
    Last-Modified: Sun, 22 Mar 2015 08:32:55 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "550e7e37-f363"
    Expires: Thu, 23 Apr 2015 10:11:50 GMT
    Cache-Control: max-age=2678400
    Cache-Control: public, must-revalidate, proxy-revalidate
    Accept-Ranges: bytes
    
    curl over HTTP/1.1 for h2o non-https
    Code:
    curl -I http://h2ohttp2.centminmod.com:8080/flags.html
    HTTP/1.1 200 OK
    Date: Mon, 23 Mar 2015 10:11:58 GMT
    Server: h2o/1.1.2-alpha1
    Connection: keep-alive
    Content-Length: 62307
    content-type: text/html
    last-modified: Sun, 22 Mar 2015 08:32:55 GMT
    etag: "550e7e37-f363"
    vary: accept-encoding
    cache-control: max-age=2678400
    powered by: h2o on centminmod.com
    link: </style.css>; rel=preload; as=stylesheet, </reset.css>; rel=preload; as=stylesheet
    
    curl over HTTP/1.1 for h2o HTTP/2
    Code:
    curl -I https://h2ohttp2.centminmod.com:8081/flags.html
    HTTP/1.1 200 OK
    Date: Mon, 23 Mar 2015 10:12:07 GMT
    Server: h2o/1.1.2-alpha1
    Connection: keep-alive
    Content-Length: 62307
    content-type: text/html
    last-modified: Sun, 22 Mar 2015 08:32:55 GMT
    etag: "550e7e37-f363"
    vary: accept-encoding
    cache-control: max-age=2678400
    powered by: h2o on centminmod.com
    link: </style.css>; rel=preload; as=stylesheet, </reset.css>; rel=preload; as=stylesheet
    
    curl over HTTP/2 for h2o non-https upgrades to HTTP/2 if client (curl) supports HTTP/2
    Code:
    curl --http2 -I http://h2ohttp2.centminmod.com:8080/flags.html
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 23 Mar 2015 10:12:30 GMT
    Server: h2o/1.1.2-alpha1
    Connection: upgrade
    upgrade: h2c
    
    HTTP/2.0 200
    server:h2o/1.1.2-alpha1
    date:Mon, 23 Mar 2015 10:12:30 GMT
    content-type:text/html
    last-modified:Sun, 22 Mar 2015 08:32:55 GMT
    etag:"550e7e37-f363"
    vary:accept-encoding
    cache-control:max-age=2678400
    link:</style.css>; rel=preload; as=stylesheet, </reset.css>; rel=preload; as=stylesheet
    
    curl over HTTP/2 for h2o HTTP/2
    Code:
    curl --http2 -I https://h2ohttp2.centminmod.com:8081/flags.html
    HTTP/2.0 200
    server:h2o/1.1.2-alpha1
    date:Mon, 23 Mar 2015 10:12:44 GMT
    content-type:text/html
    last-modified:Sun, 22 Mar 2015 08:32:55 GMT
    etag:"550e7e37-f363"
    vary:accept-encoding
    cache-control:max-age=2678400
    link:</style.css>; rel=preload; as=stylesheet, </reset.css>; rel=preload; as=stylesheet
    

    nghttp2 checks



    Using nghttp2 client, nghttp which supports HTTP/2 to check what protocols are offered by Nginx SPDY/3.1 https and h2o HTTP/2 https.

    Nginx SPDY/3.1 supports spdy/3.1 and http/1.1
    Code:
    nghttp -nv https://h2ohttp2.centminmod.com/flags.html
    [  0.121] Connected
    [  0.200][NPN] server offers:
              * spdy/3.1
              * http/1.1
    [ERROR] HTTP/2 protocol was not selected. (nghttp2 expects h2-14)
    h2o HTTP/2 supports HTTP/2 protocols and drafts - h2, h2-14, and h2-16
    Code:
    nghttp -nv https://h2ohttp2.centminmod.com:8081/flags.html
    [  0.112] Connected
    [  0.199][NPN] server offers:
              * h2
              * h2-16
              * h2-14
    The negotiated protocol: h2

    cipherscan tests for h2o HTTP/2 & Nginx SPDY/3.1



    cipherscan tool also bundled in my nghttp2 Ubuntu docker image to check SSL configuration of both server's https deployment. Made sure to use exact same cipher preferences in repsective Nginx and h2o config files.

    cipherscan tests for Nginx SPDY/3.1 SSL on port 443
    Code:
    cipherscan h2ohttp2.centminmod.com:443   
    ....................
    Target: h2ohttp2.centminmod.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         ECDH,P-256,256bits
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True         DH,4096bits
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     43200        True
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     43200        True
    
    OCSP stapling: supported
    Server side cipher ordering
    cipherscan test for h2o HTTP/2 SSL on port 8081
    Code:
    cipherscan h2ohttp2.centminmod.com:8081
    ....................
    Target: h2ohttp2.centminmod.com:8081
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         ECDH,P-256,256bits
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True         DH,4096bits
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     300          True
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     300          True
    
    OCSP stapling: supported
    Server side cipher ordering

    testssl check



    testssl is another tool bundled in my nghttp2 Ubuntu docker image

    testssl tool check for Nginx SPDY/3.1 SSL

    in particular server preferences configured
    Code:
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    Code:
    testssl https://h2ohttp2.centminmod.com/flags.html                             
    
    #########################################################
    testssl v2.3dev  (https://testssl.sh)
    ($Id: testssl.sh,v 1.214 2015/03/17 21:12:24 dirkw Exp $)
    
    Service detected:       HTTP
    
    --> Testing Protocols
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLSv1      offered
    TLSv1.1    offered
    TLSv1.2    offered (OK)
    SPDY/NPN   spdy/3.1, http/1.1 (advertised)
    
    --> Testing standard cipher lists
    
    Null Cipher              not offered (OK)
    Anonymous NULL Cipher    not offered (OK)
    Anonymous DH Cipher      not offered (OK)
    40 Bit encryption        not offered (OK)
    56 Bit encryption        not offered (OK)
    Export Cipher (general)  not offered (OK)
    Low (<=64 Bit)           not offered (OK)
    DES Cipher               not offered (OK)
    Triple DES Cipher        not offered (OK)
    Medium grade encryption  not offered (OK)
    High grade encryption    offered (OK)
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/3.1
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        server name, renegotiation info, EC point formats, session ticket, status request, heartbeat
    Session Tickets RFC 5077     43200 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256withRSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (works w/o SNI)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
    Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                OCSP stapling offered
    
    --> Testing HTTP Header response
    
    HSTS          --
    HPKP          --
    Server        nginx centminmod
    Application   (no banner at "/flags.html")
    Cookie(s)     (none issued at "/flags.html")
    
    --> Testing specific vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
    CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    Renegotiation (CVE 2009-3555)             not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587) =HTTP Compression  NOT ok: uses gzip compression  (only "/flags.html" tested)
    POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
    FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    
    --> Checking RC4 Ciphers
    
    no RC4 ciphers detected (OK)
    
    --> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here
    
    OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256       
    x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256       
    x6b     DHE-RSA-AES256-SHA256          DH         AES        256       
    x39     DHE-RSA-AES256-SHA             DH         AES        256       
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256       
    xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256       
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128       
    xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128       
    x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128       
    x67     DHE-RSA-AES128-SHA256          DH         AES        128       
    x33     DHE-RSA-AES128-SHA             DH         AES        128       
    xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128       
    
    testssl tool check for h2o HTTP/2 SSL over port 8081

    in particular server preferences configured - spdy/4a2 = HTTP/2 ?
    Code:
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2
    
    Code:
    testssl https://h2ohttp2.centminmod.com:8081/flags.html
    
    #########################################################
    testssl v2.3dev  (https://testssl.sh)
    
    Service detected:       HTTP
    
    --> Testing Protocols
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLSv1      offered
    TLSv1.1    offered
    TLSv1.2    offered (OK)
    SPDY/NPN   please check manually, response from server was ambigious ...
    
    --> Testing standard cipher lists
    
    Null Cipher              not offered (OK)
    Anonymous NULL Cipher    not offered (OK)
    Anonymous DH Cipher      not offered (OK)
    40 Bit encryption        not offered (OK)
    56 Bit encryption        not offered (OK)
    Export Cipher (general)  not offered (OK)
    Low (<=64 Bit)           not offered (OK)
    DES Cipher               not offered (OK)
    Triple DES Cipher        not offered (OK)
    Medium grade encryption  not offered (OK)
    High grade encryption    offered (OK)
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305
    Negotiated cipher per proto
         ECDHE-RSA-AES128-SHA:          TLSv1, TLSv1.1
         ECDHE-RSA-CHACHA20-POLY1305:   TLSv1.2, spdy/4a2
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request, heartbeat
    Session Tickets RFC 5077     300 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256withRSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (works w/o SNI)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA ('COMODO CA Limited' from 'GB')
    Certificate Expiration       >= 60 days  (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                OCSP stapling offered
    
    --> Testing HTTP Header response
    
    HSTS          --
    HPKP          --
    Server        h2o/1.1.2-alpha1
    Application   (no banner at "/flags.html")
    Cookie(s)     (none issued at "/flags.html")
    
    --> Testing specific vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
    CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    Renegotiation (CVE 2009-3555)             not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587) =HTTP Compression  no HTTP compression (OK)  (only "/flags.html" tested)
    POODLE, SSL (CVE-2014-3566), experimental not vulnerable (OK)
    FREAK  (CVE-2015-0204), experimental      not vulnerable (OK)
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    
    --> Checking RC4 Ciphers
    
    no RC4 ciphers detected (OK)
    
    --> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here
    
    OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow...
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256       
    x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256       
    x6b     DHE-RSA-AES256-SHA256          DH         AES        256       
    x39     DHE-RSA-AES256-SHA             DH         AES        256       
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH       ChaCha20   256       
    xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256       
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128       
    xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128       
    x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128       
    x67     DHE-RSA-AES128-SHA256          DH         AES        128       
    x33     DHE-RSA-AES128-SHA             DH         AES        128       
    xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128       
    
     
    Last edited: Mar 24, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5

    Real World Opera 28 Developer Tools Tests



    I am located in Brisbane Australia on Telstra Bigpond Cable connection with ~215ms ping times from the Nginx/h2o test server located in DigitalOcean San Franciso. According to speedtest.net my average cable speed to California locations is

    [​IMG] [​IMG]

    All tests done with developer tools Disabled cache checked.

    Opera 28 with HTTP2 enabled (SPDY/4) developer tools test over HTTP/1.1 for Nginx non-https
    time to load entire World flags demo page = 10.39s

    opera28_devtools_nginx_non-https_00.png

    Opera 28 with HTTP2 enabled (SPDY/4) developer tools test over HTTP/1.1 for Nginx SPDY/3.1
    time to load entire World flags demo page = 2.90s

    opera28_devtools_nginx_spdy_https_00.png

    Opera 28 with HTTP2 enabled (SPDY/4) developer tools test over HTTP/1.1 for h2o non-https
    time to load entire World flags demo page = 10.72s

    opera28_devtools_h2o_non-https_00.png

    Opera 28 with HTTP2 enabled (SPDY/4) developer tools test over HTTP/2 for h2o HTTP/2
    time to load entire World flags demo page = 2.77s

    opera28_devtools_h2o_http2-https_00.png

    Again, h2o HTTP/2 SSL is fastest, followed by Nginx SPDY/3.1 SSL, then Nginx non-https and then h2o non-https.
     
  4. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5

    Nexus 7 3G Mobile Tests



    Next webpagetest.org tests are for Nexus 7 Chrome on 3G mobile 1.6Mbps/768Kbps 300ms RTT and this is where SPDY/3.1 and HTTP/2 really shine :) If your web site or forums have a large mobile/tablet audience, you'd want to be using Nginx SPDY/3.1 SSL over https and eventually on HTTP/2 over SSL :D

    non-https h2o and nginx server tests for World Flags demo is slowest with page load time at 22.383s and 20.202s respectively. And more importantly perceived visual load time Speed Index time is 8.083s and 8.122s respectively.

    Nginx SPDY/3.1 SSL and h2o HTTP/2 SSL page load times were dramatically better for 3G mobile speeds at 5.955s and 6.619s respectively. Speed Index times where 3.243s and 3.517s respectively.

    video_compare_nexus7_00.png
    Individual summaries

    h2o HTTP/2 SSL

    summary_h2o_http2-https_00.png

    nginx SPDY/3.1 SSL

    summary_h2o_spdy-https_00.png

    h2o non-https

    summary_h2o_non-https_00.png

    nginx non-https

    summary_nginx_non-https_00.png

    Filmstrip comparison at 0.5s intervals

    filmstrip_nexus7_500ms_00.png filmstrip_nexus7_500ms_01.png filmstrip_nexus7_500ms_02.png filmstrip_nexus7_500ms_03.png filmstrip_nexus7_500ms_04.png

    Comparison charts

    nexus7_chart_00.png
    nexus7_chart_01.png

    nexus7_chart_02.png
    nexus7_chart_03.png
     
    Last edited: Mar 24, 2015
    • Useful Useful x 1
  5. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5

    slowhttptest slowris test



    Quick slowris testing using slowhttptest tool. I used my CentOS 6 Docker image which bundled slowhttptest tool (along with other tools), https://registry.hub.docker.com/u/centminmod/docker-centos6-siege/. Both Nginx and h2o held up pretty well. Probably need to tune h2o settings a bit more ?

    Test parameters
    • Test type SLOW HEADERS
    • Number of connections 4096
    • Verb GET
    • Content-Length header value 4096
    • Extra data max length 68
    • Interval between follow up data 10 seconds
    • Connections per seconds 128
    • Timeout for probe connection 3
    • Target test duration 240 seconds
    • Using proxy no proxy
    Test method

    Test was run from my dedicated server in Montreal, Xeon E3-1245v2, 32GB to the target Nginx/h2o server in San Francisco.

    Launching the docker container called siegecmd mounting and linking host and container directories for /home/docker_siege where I saved the test results.
    Code:
    mkdir -p /home/docker_siege
    docker run -ti --name siegecmd -v /home/docker_siege:/home/docker_siege centminmod/docker-centos6-siege /bin/bash
    Within docker container ran slowhttptest against each of the 4 urls defined in URL variable
    Code:
    cd /home/docker_siege
    
    URL=http://h2ohttp2.centminmod.com/flags.html
    URL=https://h2ohttp2.centminmod.com/flags.html
    URL=http://h2ohttp2.centminmod.com:8080/flags.html
    URL=https://h2ohttp2.centminmod.com:8081/flags.html
    
    slowhttptest -c 4096 -H -g -o slowhttptest_centminmod_nginx_http -i 10 -l 240 -t GET -u $URL -p 3 -r 128
    slowhttptest results

    Nginx non-https

    nginx_http_00.png

    h2o non-https

    h2o_http_00.png

    Nginx SPDY/3.1 https

    nginx_spdy_https_00.png

    h2o HTTP/2 https

    h2o_http2_https_00.png
     
  6. eva2000

    eva2000 Administrator Staff Member

    26,465
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:46 AM
    Nginx 1.11.x
    MariaDB 5.5
Thread Status:
Not open for further replies.