Discover Centmin Mod today
Register Now

OpenSSL OpenSSL ECDSA Performance improvements

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Dec 31, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:56 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like OpenSSL development for ECDSA performance has hit a new level Vlad Krasnov on Twitter
    Centmin Mod letsencrypt as is most SSL certs are using RSA 2048bit instead (with optional support for ECC 256bit ECDSA SSL certs) of more performant ECC 256bit ECDSA SSL certs probably due to backwards compatibility with web clients/browsers. But wonder how compatible is most folks clients with ECC 256bit ECDSA SSL certs now ?


    FYI, ECC 256 bit vs RSA 2048 bit SSL

    @bassie you using ECC 256 bit ECDSA SSL certs much ?

    Though Nginx 1.11.0 and higher support dual SSL Certs for RSA 2048bit + ECC 256bit ECDSA working on same site if using right version of OpenSSL SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !
     
  2. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:56 AM
  3. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:56 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah thanks for sharing :D
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,394
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    10:56 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looking very good for performance for ECDSA thanks to @bassie shared OpenSSL 1.1.0g backported patch. Focus on signs/s results.

    On OVH Core i7 4790K 4C/8T server

    With patch resulted in 43.4% faster ECDSA signs/s and 15.4% faster ECDSA verify/s :cool:

    OpenSSL 1.1.0g rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    before patch 8278.4 181818.2 121212.1 43450.5
    after patch 8299.9 181818.2 173813.0 50157.2


    before ECDSA OpenSSL 1.1.0g backported pacth
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000121s 0.000005s   8278.4 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  43450.5
    

    after patch
    Code (Text):
    openssl speed -multi 8 rsa2048 ecdsap256
    OpenSSL 1.1.0g  2 Nov 2017
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                     sign    verify    sign/s verify/s
    rsa 2048 bits 0.000120s 0.000005s   8299.9 181818.2
                                 sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 173913.0  50157.2