Learn about Centmin Mod LEMP Stack today
Register Now

OpenSSL OpenSSL ECDSA Performance improvements

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Dec 31, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    31,657
    7,032
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,639
    Local Time:
    10:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like OpenSSL development for ECDSA performance has hit a new level Vlad Krasnov on Twitter
    Centmin Mod letsencrypt as is most SSL certs are using RSA 2048bit instead (with optional support for ECC 256bit ECDSA SSL certs) of more performant ECC 256bit ECDSA SSL certs probably due to backwards compatibility with web clients/browsers. But wonder how compatible is most folks clients with ECC 256bit ECDSA SSL certs now ?

    FYI, ECC 256 bit vs RSA 2048 bit SSL

    @bassie you using ECC 256 bit ECDSA SSL certs much ?

    Though Nginx 1.11.0 and higher support dual SSL Certs for RSA 2048bit + ECC 256bit ECDSA working on same site if using right version of OpenSSL SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !
     
    • Informative Informative x 1
  2. bassie

    bassie Active Member

    620
    136
    43
    Apr 29, 2016
    Ratings:
    +417
    Local Time:
    1:50 PM
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    31,657
    7,032
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,639
    Local Time:
    10:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    Ah thanks for sharing :D
     
  4. eva2000

    eva2000 Administrator Staff Member

    31,657
    7,032
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,639
    Local Time:
    10:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    Looking very good for performance for ECDSA thanks to @bassie shared OpenSSL 1.1.0g backported patch. Focus on signs/s results.

    On OVH Core i7 4790K 4C/8T server

    With patch resulted in 43.4% faster ECDSA signs/s and 15.4% faster ECDSA verify/s :cool:

    OpenSSL 1.1.0g rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    before patch 8278.4 181818.2 121212.1 43450.5
    after patch 8299.9 181818.2 173813.0 50157.2


    before ECDSA OpenSSL 1.1.0g backported pacth
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000121s 0.000005s   8278.4 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  43450.5
    

    after patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000120s 0.000005s   8299.9 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 173913.0  50157.2