X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • March 31, 2011

SNI and bench marking tools - ab and siege

SNI and bench marking tools - ab and siege

I wanted to do some performance measurements on some SNI server using some too. I evaluated two tools.

1. "ab" (Apache HTTP server benchmarking tool)

So I have to build "ab" so that it takes HTTPS URL and not just HTTP URL and sends TLS SNI extension in SSL handshake.

1.1. Download OpenSSL and Apache source code

I downloaded OpenSSL source code (openssl-1.0.0d.tar) from http://www.openssl.org/source/ and Apache source code from http://httpd.apache.org/ (httpd-2.3.11-beta.tar and httpd-2.3.11-beta-deps.tar).

But I had to make the following two changes in Apache code.

1.2. Modify configure.in

$diff configure.in configure.in.ORIGINAL
611,614d610
< if test "$enable_ssl" != "no"; then
<   APR_ADDTO(DEFS, "-DAB_USE_SSL")
< fi
<

I took these changes from http://www.mail-archive.com/dev@httpd.apache.org/msg25661.html

1.3. Modify support/ab.c

First I tried  calling the function SSL_set_tlsext_host_name(c->ssl, host_field); but it gave undefined symbol error, so I used SSL_ctrl function instead.

$diff ab.c ab.c.orig
184d183
< #include <openssl/tls1.h> /\* for TLSEXT_NAMETYPE_host_name \*/
1182d1180
<
1244,1245d1241
<         SSL_ctrl(c->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, host_field);
<

1.4. Building and Installing OpenSSL and Apache

I built and installed OpenSSL and Apache as given in

http://www.linuxquestions.org/questions/linux-server-73/openssl-support-for-sni-and-tls-799387/#10


OpenSSL :

$./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-tlsext shared
$make && make install


Apache :

$LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include/ ./configure
--enable-so --enable-ssl --enable-rewrite --enable-unique-id
--with-ssl=/usr/local/
$make && make install

1.5. Send a test request using "ab" and confirm using ssltap

Set LD_LIBRARY_PATH to the OpenSSL directory (containing libssl.so) :

    $export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Confirm that ab -help shows "http[s]" in the usage as shown below :

   $/usr/local/apache2/bin/ab -help

   Usage: ./ab [options] [http[s]://]hostname[:port]/path

Now send a single request and route it to the server using ssltap to confirm if "ab" is working fine :

$./ab -n 1 -c 1 -f TLS1 https://www.foo.com:1924/abc.html

ssltap output shows that the server name "www.foo.com"  was sent in SSL Handshake :


$ssltap -s -l -p 1924 foo.com:port
--> [
(230 bytes of 225)
SSLRecord { [Thu Mar 31 19:43:21 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 225 (0xe1)
   handshake {
      type = 1 (client_hello)
      length = 221 (0x0000dd)
         ClientHelloV3 {
            client_version = {3, 1}
            random = {...}
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[46] = {

...
            }
...
            extensions[88] = {

 extension type server_name, length [16] = {

  0: 00 0e 00 00  ... 2e 63 6f 6d  | .....www.foo.com
}
...


2. siege

Downloaded  siege-2.70.tar.gz from ftp://ftp.joedog.org/pub/siege/siege-2.70.tar.gz

$gunzip siege.tar.gz

$tar -xvf siege.tar

$cd siege-2.70

Make these code changes

$diff client.c client.c.orig
292c292
<     if (SSL_initialize(C, U->hostname)==FALSE) {
---
>     if (SSL_initialize(C)==FALSE) {
$diff ssl.h ssl.h.orig
52c52
< BOOLEAN SSL_initialize(CONN \*C, const char \*servername);
---
> BOOLEAN SSL_initialize(CONN \*C);
$diff ssl.c ssl.c.orig
43d42
< #include <tls1.h>
67c66
< SSL_initialize(CONN \*C, const char \*servername)
---
> SSL_initialize(CONN \*C)
137,138d135
<   SSL_ctrl(C->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME,
<            TLSEXT_NAMETYPE_host_name, servername);

Build and install siege :

$./configure --with-ssl=/usr/local/



$make

$make install

$export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Run siege

$/usr/local/bin/siege -c 10 -t1M https://www.foo.com:3333/index.html

you can confirm that siege sent SNI TLS extension using ssltap.

3. References

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.