Welcome to Centmin Mod Community
Register Now

SSL Tools for debugging, testing & using HTTP/2 + Docker image

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Dec 9, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    30,968
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    2:06 PM
    Nginx 1.13.x
    MariaDB 5.5
    Cloudflare posted a new blog article outlining tools you can use to test, debug and use HTTP/2 with including nghttp2, h2i, h2spec, curl 7.43+ etc. It just happens I have been maintaining a Ubuntu Vivid based Docker image for nghttp2 client and majority of the HTTP/2 and TLS/SSL testing tools mentioned in the article along with additional cipherscan tool, testssl.sh tool, h2spec and ssllabs-scan tool etc at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2/.
    The Ubuntu Vivid based nghttp2 Docker image was apart of my Centmin Mod Docker Developer forum work and learning so check out the forums ;)

    As part of the nghttp2 library and client bundle, there's a h2load tool. Think of it as a HTTP/2 version of apachebench or siege bench for stress and load testing HTTP/2 enabled sites over HTTP/2 client connections instead of HTTP/1.1. Documentation for h2load tool at https://nghttp2.org/documentation/h2load-howto.html

     
    Last edited: Dec 10, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    30,968
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    2:06 PM
    Nginx 1.13.x
    MariaDB 5.5
    Example tools from my Ubuntu Vivid based Docker image for nghttp2 client, library and HTTP/2 bundled tools.

    OpenSSL 1.02f dev build with chacha20 cipher patch support
    Code:
    /usr/local/http2-15/bin/openssl version
    OpenSSL 1.0.2-chacha (1.0.2f-dev)
    Code:
    /usr/local/http2-15/bin/openssl ciphers -l -V "ALL:COMPLEMENTOFALL" | grep ChaCha
              0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20(256) Mac=AEAD
              0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20(256) Mac=AEAD
              0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20(256) Mac=AEAD
    h2i
    Code:
     h2i centminmod.com
    Connecting to centminmod.com:443 ...
    Connected to 162.211.65.18:443
    Negotiated protocol "h2"
    [FrameHeader SETTINGS len=18]
      [MAX_CONCURRENT_STREAMS = 128]
      [INITIAL_WINDOW_SIZE = 2147483647]
      [MAX_FRAME_SIZE = 16777215]
    [FrameHeader WINDOW_UPDATE len=4]
      Window-Increment = 2147418112
    
    h2i> quit
    cipherscan
    Code:
    cipherscan centminmod.com
    ............................
    Target: centminmod.com:443
    
    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    10    DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    12    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    14    AES128-GCM-SHA256            TLSv1.2                None                None
    15    AES256-GCM-SHA384            TLSv1.2                None                None
    16    AES128-SHA256                TLSv1.2                None                None
    17    AES256-SHA256                TLSv1.2                None                None
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    
    Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 3600
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: server - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    TLS Tolerance: yes
    custom compiled curl 7.46 dev build with --http2 flag support via nghttp2 compilation
    Code:
    curl -V
    curl 7.46.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.46.1-DEV OpenSSL/1.0.2f zlib/1.2.8 libssh2/1.4.3 nghttp2/1.5.1-DEV
    Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets
    
    Code:
    curl --http2 -I https://centminmod.com
    HTTP/2.0 200
    content-type:text/html; charset=utf-8
    vary:Accept-Encoding
    server:nginx centminmod
    x-powered-by:centminmod
    public-key-pins:pin-sha256="oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8="; pin-sha256="KrRz+515ViRd/gdl7yGWCW1R4CFAAeMIBHp0JTNk8qc="; max-age=604800; includeSubDomains
    date:Wed, 09 Dec 2015 05:14:41 GMT
    x-page-speed:centminmod.com PageSpeed
    cache-control:max-age=0, no-cache
    
    nghttp2 client over HTTP/2
    Code:
    nghttp -nv https://centminmod.com:443
    [  0.048] Connected
    The negotiated protocol: h2
    [  0.088] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
              (niv=3)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647]
              [SETTINGS_MAX_FRAME_SIZE(0x05):16777215]
    [  0.088] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
              (window_size_increment=2147418112)
    [  0.089] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
    [  0.089] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
              (dep_stream_id=0, weight=201, exclusive=0)
    [  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
              (dep_stream_id=0, weight=101, exclusive=0)
    [  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
              (dep_stream_id=0, weight=1, exclusive=0)
    [  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
              (dep_stream_id=7, weight=1, exclusive=0)
    [  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
              (dep_stream_id=3, weight=1, exclusive=0)
    [  0.089] send HEADERS frame <length=41, flags=0x25, stream_id=13>
              ; END_STREAM | END_HEADERS | PRIORITY
              (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
              ; Open new stream
              :method: GET
              :path: /
              :scheme: https
              :authority: centminmod.com
              accept: */*
              accept-encoding: gzip, deflate
              user-agent: nghttp2/1.5.1-DEV
    [  0.112] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.180] recv (stream_id=13) :status: 200
    [  0.181] recv (stream_id=13) content-type: text/html; charset=utf-8
    [  0.181] recv (stream_id=13) vary: Accept-Encoding
    [  0.181] recv (stream_id=13) server: nginx centminmod
    [  0.181] recv (stream_id=13) x-powered-by: centminmod
    [  0.181] recv (stream_id=13) public-key-pins: pin-sha256="oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8="; pin-sha256="KrRz+515ViRd/gdl7yGWCW1R4CFAAeMIBHp0JTNk8qc="; max-age=604800; includeSubDomains
    [  0.181] recv (stream_id=13) date: Wed, 09 Dec 2015 05:18:02 GMT
    [  0.181] recv (stream_id=13) x-page-speed: centminmod.com PageSpeed
    [  0.181] recv (stream_id=13) cache-control: max-age=0, no-cache
    [  0.181] recv (stream_id=13) content-encoding: gzip
    [  0.181] recv HEADERS frame <length=397, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0)
              ; First response header
    [  0.181] recv DATA frame <length=8192, flags=0x00, stream_id=13>
    [  0.196] recv DATA frame <length=8192, flags=0x00, stream_id=13>
    [  0.196] recv DATA frame <length=8192, flags=0x00, stream_id=13>
    [  0.196] recv DATA frame <length=10, flags=0x00, stream_id=13>
    [  0.196] recv DATA frame <length=6401, flags=0x01, stream_id=13>
              ; END_STREAM
    [  0.196] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
              (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
    nghttp2 client HTTP/2 statistics
    Code:
    nghttp -nas https://centminmod.com:443
    ***** Statistics *****
    
    Request timing:
      responseEnd: the  time  when  last  byte of  response  was  received
                   relative to connectEnd
    requestStart: the time  just before  first byte  of request  was sent
                   relative  to connectEnd.   If  '*' is  shown, this  was
                   pushed by server.
          process: responseEnd - requestStart
             code: HTTP status code
             size: number  of  bytes  received as  response  body  without
                   inflation.
              URI: request URI
    
    see http://www.w3.org/TR/resource-timing/#processing-model
    
    sorted by 'complete'
    
    id  responseEnd requestStart  process code size request path
    13    +80.40ms       +206us  80.19ms  200  30K /
    15    +93.00ms     +65.64ms  27.36ms  200   9K /img/favicon.ico
    19   +109.03ms     +65.65ms  43.38ms  200  38K /js/jquery.min.js+bootstrap.min.js.pagespeed.jc.Cd39AMnoIp.js
    21   +109.36ms     +65.65ms  43.71ms  200   7K /js/hover-dropdown-menu.js+jquery.hover-dropdown-menu-addon.js+jquery.easing.1.3.js.pagespeed.jc.vy5S6wKQse.js
    25   +124.13ms     +65.65ms  58.47ms  200   6K /js/custom.js.pagespeed.jm.q-StvNlmtR.js
    23   +124.58ms     +65.65ms  58.93ms  200  24K /js/bootstrapValidator.min.js.pagespeed.jm.YU3KUlvaHb.js
    17   +165.58ms     +65.65ms  99.93ms  200  60K /css/A.localfonts.css+font-awesome.min.css+bootstrap.min.css+hover-dropdown-menu.css+icons-set8.css+animate.min.css+style.css+responsive.css+color.css,Mcc.vO6cqnBPv1.css.pagespeed.cf.zQmJLucqr5.css
    check for ALPN extension support in Nginx HTTP/2 in Centmin Mod LEMP stack on centminmod.com
    Code:
    /usr/local/http2-15/bin/openssl s_client -alpn h2 -host centminmod.com -port 443
    
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    ALPN protocol: h2
    
    check for NPN extension support
    Code:
    /usr/local/http2-15/bin/openssl s_client -nextprotoneg h2 -host centminmod.com -port 443
    
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    Next protocol: (1) h2
    No ALPN negotiated
    testssl
    Code:
    testssl centminmod.com:443
    
    ###########################################################
        testssl       2.7dev from https://testssl.sh/dev/
        (1.426 2015/12/08 16:50:57)
    
     Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) 
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered
     TLS 1.1    offered
     TLS 1.2    offered (OK)
     SPDY/NPN   h2, http/1.1 (advertised)
    
     Testing ~standard cipher lists 
    
     Null Ciphers                 not offered (OK)
     Anonymous NULL Ciphers       not offered (OK)
     Anonymous DH Ciphers         not offered (OK)
     40 Bit encryption            not offered (OK)
     56 Bit encryption            not offered (OK)
     Export Ciphers (general)     not offered (OK)
     Low (<=64 Bit)               not offered (OK)
     DES Ciphers                  not offered (OK)
     Medium grade encryption      not offered (OK)
     Triple DES Ciphers           not offered (OK)
     High grade encryption        offered (OK)
    
     Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 
    
     PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA 
    
     Testing server preferences 
    
     Has server cipher order?     yes (OK)
     Negotiated protocol          TLSv1.2
     Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
     Cipher order
         TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA 
         TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA 
         TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 
         h2:        ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 
         http/1.1:  ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 
    
     Testing server defaults (Server Hello) 
    
     TLS server extensions (std)  "renegotiation info" "EC point formats" "session ticket" "status request" "next protocol" 
     Session Tickets RFC 5077     3600 seconds (PFS requires session ticket keys to be rotated <= daily)
     SSL Session ID support       yes
     Server key size              2048 bit
     Signature Algorithm          SHA256 with RSA
     Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
     Common Name (CN)             "*.centminmod.com" (wildcard certificate match) (CN in response to request w/o SNI: "*.centminmod.com")
     subjectAltName (SAN)         "*.centminmod.com" "centminmod.com" 
     Issuer                       "COMODO RSA Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
     EV cert (experimental)       no 
     Certificate Expiration       613 >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
     # of certificates provided   3
     Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
     Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
     OCSP URI                     http://ocsp.comodoca.com
     OCSP stapling                offered
     TLS timestamp                random values, no fingerprinting possible 
    
     Testing HTTP header response @ "/" 
    
     HTTP Status Code             200 OK
     HTTP clock skew              0 sec from localtime
     Strict Transport Security    --
     Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8
     Server banner                nginx centminmod
     Application banner           X-Powered-By: centminmod
     Cookie(s)                    (none issued at "/")
     Security headers             --
     Reverse Proxy banner         --
    
     Testing vulnerabilities 
    
     Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
     CCS (CVE-2014-0224)                       not vulnerable (OK)
     Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
     Secure Client-Initiated Renegotiation     not vulnerable (OK)
     CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
     BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                               Can be ignored for static pages or if no secrets in the page
     POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
     TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
     FREAK (CVE-2015-0204)                     not vulnerable (OK)
     LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
     BEAST (CVE-2011-3389)                     TLS1: AES128-SHA DHE-RSA-AES128-SHA
                                                     AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
                                                     ECDHE-RSA-AES256-SHA
                                               VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
     RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
     Testing all 181 locally available ciphers against the server, ordered by encryption strength 
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
     xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256                                                                                    
     xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256                                                                                    
     xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256                                                                                    
     xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256                                                                                    
     x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256                                                                                    
     x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256                                                                                    
     x39     DHE-RSA-AES256-SHA             DH 2048    AES        256                                                                                    
     x9d     AES256-GCM-SHA384              RSA        AESGCM     256                                                                                    
     x3d     AES256-SHA256                  RSA        AES        256                                                                                    
     x35     AES256-SHA                     RSA        AES        256                                                                                    
     xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128                                                                                    
     xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128                                                                                    
     xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128                                                                                    
     x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128                                                                                    
     x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128                                                                                    
     x33     DHE-RSA-AES128-SHA             DH 2048    AES        128                                                                                    
     x9c     AES128-GCM-SHA256              RSA        AESGCM     128                                                                                    
     x3c     AES128-SHA256                  RSA        AES        128                                                                                    
     x2f     AES128-SHA                     RSA        AES        128                                                                                    
    
    
     
    Last edited: Dec 9, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    30,968
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    2:06 PM
    Nginx 1.13.x
    MariaDB 5.5

    h2load tool



    h2load is apart of nghttp2 included tool set.

    help file
    Code:
    h2load --help
    Usage: h2load [OPTIONS]... [URI]...
    benchmarking tool for HTTP/2 and SPDY server
    
      <URI>       Specify URI to access.   Multiple URIs can be specified.
                  URIs are used  in this order for each  client.  All URIs
                  are used, then  first URI is used and then  2nd URI, and
                  so  on.  The  scheme, host  and port  in the  subsequent
                  URIs, if present,  are ignored.  Those in  the first URI
                  are used solely.  Definition of a base URI overrides all
                  scheme, host or port values.
    Options:
      -n, --requests=<N>
                  Number of  requests across all  clients.  If it  is used
                  with --timing-script-file option,  this option specifies
                  the number of requests  each client performs rather than
                  the number of requests across all clients.
                  Default: 1
      -c, --clients=<N>
                  Number  of concurrent  clients.   With  -r option,  this
                  specifies the maximum number of connections to be made.
                  Default: 1
      -t, --threads=<N>
                  Number of native threads.
                  Default: 1
      -i, --input-file=<PATH>
                  Path of a file with multiple URIs are separated by EOLs.
                  This option will disable URIs getting from command-line.
                  If '-' is given as <PATH>, URIs will be read from stdin.
                  URIs are used  in this order for each  client.  All URIs
                  are used, then  first URI is used and then  2nd URI, and
                  so  on.  The  scheme, host  and port  in the  subsequent
                  URIs, if present,  are ignored.  Those in  the first URI
                  are used solely.  Definition of a base URI overrides all
                  scheme, host or port values.
      -m, --max-concurrent-streams=(auto|<N>)
                  Max concurrent streams to  issue per session.  If "auto"
                  is given, the number of given URIs is used.
                  Default: auto
      -w, --window-bits=<N>
                  Sets the stream level initial window size to (2**<N>)-1.
                  For SPDY, 2**<N> is used instead.
                  Default: 30
      -W, --connection-window-bits=<N>
                  Sets  the  connection  level   initial  window  size  to
                  (2**<N>)-1.  For SPDY, if <N>  is strictly less than 16,
                  this option  is ignored.   Otherwise 2**<N> is  used for
                  SPDY.
                  Default: 30
      -H, --header=<HEADER>
                  Add/Override a header to the requests.
      --ciphers=<SUITE>
                  Set allowed  cipher list.  The  format of the  string is
                  described in OpenSSL ciphers(1).
      -p, --no-tls-proto=<PROTOID>
                  Specify ALPN identifier of the  protocol to be used when
                  accessing http URI without SSL/TLS.
                  Available protocols: spdy/2, spdy/3, spdy/3.1, h2c and
                  http/1.1
                  Default: h2c
      -d, --data=<PATH>
                  Post FILE to  server.  The request method  is changed to
                  POST.
      -r, --rate=<N>
                  Specifies  the  fixed  rate  at  which  connections  are
                  created.   The   rate  must   be  a   positive  integer,
                  representing the  number of  connections to be  made per
                  rate period.   The maximum  number of connections  to be
                  made  is  given  in  -c   option.   This  rate  will  be
                  distributed among  threads as  evenly as  possible.  For
                  example,  with   -t2  and   -r4,  each  thread   gets  2
                  connections per period.  When the rate is 0, the program
                  will run  as it  normally does, creating  connections at
                  whatever variable rate it  wants.  The default value for
                  this option is 0.
      --rate-period=<DURATION>
                  Specifies the time  period between creating connections.
                  The period  must be a positive  number, representing the
                  length of the period in time.  This option is ignored if
                  the rate option is not used.  The default value for this
                  option is 1s.
      -T, --connection-active-timeout=<DURATION>
                  Specifies  the maximum  time that  h2load is  willing to
                  keep a  connection open,  regardless of the  activity on
                  said connection.  <DURATION> must be a positive integer,
                  specifying the amount of time  to wait.  When no timeout
                  value is  set (either  active or inactive),  h2load will
                  keep  a  connection  open indefinitely,  waiting  for  a
                  response.
      -N, --connection-inactivity-timeout=<DURATION>
                  Specifies the amount  of time that h2load  is willing to
                  wait to see activity  on a given connection.  <DURATION>
                  must  be a  positive integer,  specifying the  amount of
                  time  to wait.   When no  timeout value  is set  (either
                  active or inactive), h2load  will keep a connection open
                  indefinitely, waiting for a response.
      --timing-script-file=<PATH>
                  Path of a file containing one or more lines separated by
                  EOLs.  Each script line is composed of two tab-separated
                  fields.  The first field represents the time offset from
                  the start of execution, expressed as a positive value of
                  milliseconds  with microsecond  resolution.  The  second
                  field represents the URI.  This option will disable URIs
                  getting from  command-line.  If '-' is  given as <PATH>,
                  script lines will be read  from stdin.  Script lines are
                  used in order for each client.   If -n is given, it must
                  be less  than or  equal to the  number of  script lines,
                  larger values are clamped to the number of script lines.
                  If -n is not given,  the number of requests will default
                  to the  number of  script lines.   The scheme,  host and
                  port defined in  the first URI are  used solely.  Values
                  contained  in  other  URIs,  if  present,  are  ignored.
                  Definition of a  base URI overrides all  scheme, host or
                  port values.
      -B, --base-uri=<URI>
                  Specify URI from which the scheme, host and port will be
                  used  for  all requests.   The  base  URI overrides  all
                  values  defined either  at  the command  line or  inside
                  input files.
      --npn-list=<LIST>
                  Comma delimited list of  ALPN protocol identifier sorted
                  in the  order of preference.  That  means most desirable
                  protocol comes  first.  This  is used  in both  ALPN and
                  NPN.  The parameter must be  delimited by a single comma
                  only  and any  white spaces  are  treated as  a part  of
                  protocol string.
                  Default: h2,h2-16,h2-14,spdy/3.1,spdy/3,spdy/2,http/1.1
      --h1        Short        hand         for        --npn-list=http/1.1
                  --no-tls-proto=http/1.1,    which   effectively    force
                  http/1.1 for both http and https URI.
      -v, --verbose
                  Output debug information.
      --version   Display version information and exit.
      -h, --help  Display this help and exit.
    
    --
    
      The <DURATION> argument is an integer and an optional unit (e.g., 1s
      is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
      (hours, minutes, seconds and milliseconds, respectively).  If a unit
      is omitted, a second is used as unit.

    Centmin Mod Nginx HTTP/2 Tests



    Against centminmod.com

    h2load test with 10 concurrent clients, 100 max concurrent streams and 100 requests against centminmod.com over HTTP/2 on port 443
    Code:
    /usr/local/bin/h2load -c10 -m100 -n10 -v https://centminmod.com:443                           
    starting benchmark...
    spawning thread #0: 10 total client(s). 10 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-RSA-AES128-GCM-SHA256
    Server Temp Key: ECDH P-256 256 bits
    Application protocol: h2
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 741.63ms, 13.48 req/s, 1.90MB/s
    requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 1480980 bytes total, 3740 bytes headers (space savings 0.53%), 1474860 bytes data
                         min         max         mean         sd        +/- sd
    time for request:   156.19ms    652.72ms    418.38ms    159.59ms    60.00%
    time for connect:    42.83ms     87.13ms     64.59ms     17.02ms    40.00%
    time to 1st byte:   159.45ms    678.37ms    431.71ms    168.17ms    60.00%
    req/s (client)  :       1.35        5.02        2.47        1.16    80.00%

    Centmin Mod Nginx HTTP/2 Tests



    h2load test against my Letsencrypt free SSL enabled Centmin Mod Nginx HTTP/2 server at le12.http2ssl.xyz:443
    Code:
    /usr/local/bin/h2load -c10 -m100 -n10 -v https://le12.http2ssl.xyz:443          
    starting benchmark...
    spawning thread #0: 10 total client(s). 10 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-RSA-AES128-GCM-SHA256
    Server Temp Key: ECDH P-256 256 bits
    Application protocol: h2
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 78.89ms, 126.76 req/s, 263.42KB/s
    requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 21280 bytes total, 2290 bytes headers (space savings 14.23%), 18320 bytes data
                         min         max         mean         sd        +/- sd
    time for request:    12.18ms     15.28ms     13.97ms      1.27ms    60.00%
    time for connect:    44.10ms     62.14ms     52.38ms      6.90ms    60.00%
    time to 1st byte:    56.30ms     77.42ms     66.36ms      8.11ms    60.00%
    req/s (client)  :      12.91       17.74       15.28        1.86    60.00%

    Caddy HTTP/2 Tests



    h2load test against my Letsencrypt free SSL enabled Caddy 0.80 HTTP/2 server at le12.http2ssl.xyz:445
    Code:
    /usr/local/bin/h2load -c10 -m100 -n10 -v https://le12.http2ssl.xyz:445
    starting benchmark...
    spawning thread #0: 10 total client(s). 10 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-RSA-AES128-GCM-SHA256
    Server Temp Key: ECDH P-256 256 bits
    Application protocol: h2
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 105.26ms, 95.01 req/s, 181.85KB/s
    requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 19600 bytes total, 740 bytes headers (space savings 54.04%), 18320 bytes data
                         min         max         mean         sd        +/- sd
    time for request:    12.46ms     15.64ms     13.57ms      1.07ms    70.00%
    time for connect:    71.42ms     88.76ms     78.97ms      5.69ms    70.00%
    time to 1st byte:    84.71ms    104.41ms     92.55ms      6.44ms    60.00%
    req/s (client)  :       9.57       11.79       10.85        0.74    60.00%
    note I had updated Centmin Mod Nginx to 1.9.8 too
     
    Last edited: Dec 9, 2015