Thursday Mar 31, 2011

SNI and bench marking tools - ab and siege

SNI and bench marking tools - ab and siege

I wanted to do some performance measurements on some SNI server using some too. I evaluated two tools.

1. "ab" (Apache HTTP server benchmarking tool)

So I have to build "ab" so that it takes HTTPS URL and not just HTTP URL and sends TLS SNI extension in SSL handshake.

1.1. Download OpenSSL and Apache source code

I downloaded OpenSSL source code (openssl-1.0.0d.tar) from http://www.openssl.org/source/ and Apache source code from http://httpd.apache.org/ (httpd-2.3.11-beta.tar and httpd-2.3.11-beta-deps.tar).

But I had to make the following two changes in Apache code.

1.2. Modify configure.in

$diff configure.in configure.in.ORIGINAL
611,614d610
< if test "$enable_ssl" != "no"; then
<   APR_ADDTO(DEFS, "-DAB_USE_SSL")
< fi
<

I took these changes from http://www.mail-archive.com/dev@httpd.apache.org/msg25661.html

1.3. Modify support/ab.c

First I tried  calling the function SSL_set_tlsext_host_name(c->ssl, host_field); but it gave undefined symbol error, so I used SSL_ctrl function instead.

$diff ab.c ab.c.orig
184d183
< #include <openssl/tls1.h> /\* for TLSEXT_NAMETYPE_host_name \*/
1182d1180
<
1244,1245d1241
<         SSL_ctrl(c->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, host_field);
< 

1.4. Building and Installing OpenSSL and Apache

I built and installed OpenSSL and Apache as given in

http://www.linuxquestions.org/questions/linux-server-73/openssl-support-for-sni-and-tls-799387/#10


OpenSSL :

$./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-tlsext shared
$make && make install


Apache :

$LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include/ ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local/
$make && make install

1.5. Send a test request using "ab" and confirm using ssltap

Set LD_LIBRARY_PATH to the OpenSSL directory (containing libssl.so) :

    $export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Confirm that ab -help shows "http[s]" in the usage as shown below :

   $/usr/local/apache2/bin/ab -help

   Usage: ./ab [options] [http[s]://]hostname[:port]/path

Now send a single request and route it to the server using ssltap to confirm if "ab" is working fine :

$./ab -n 1 -c 1 -f TLS1 https://www.foo.com:1924/abc.html

ssltap output shows that the server name "www.foo.com"  was sent in SSL Handshake :


$ssltap -s -l -p 1924 foo.com:port

--> [
  (230 bytes of 225)
  SSLRecord { [Thu Mar 31 19:43:21 2011]
     type    = 22 (handshake)
     version = { 3,1 }
     length  = 225 (0xe1)
     handshake {
        type = 1 (client_hello)
        length = 221 (0x0000dd)
           ClientHelloV3 {
              client_version = {3, 1}
              random = {...}
              session ID = {
                  length = 0
                  contents = {...}
              }
              cipher_suites[46] = {

...             } ...             extensions[88] = {

 extension type server_name, length [16] = {

  0: 00 0e 00 00  ... 2e 63 6f 6d  | .....www.foo.com } ...


2. siege

Downloaded  siege-2.70.tar.gz from ftp://ftp.joedog.org/pub/siege/siege-2.70.tar.gz

$gunzip siege.tar.gz

$tar -xvf siege.tar

$cd siege-2.70

Make these code changes

$diff client.c client.c.orig
292c292
<     if (SSL_initialize(C, U->hostname)==FALSE) {
---
>     if (SSL_initialize(C)==FALSE) {

$diff ssl.h ssl.h.orig
52c52
< BOOLEAN SSL_initialize(CONN \*C, const char \*servername);
---
> BOOLEAN SSL_initialize(CONN \*C);

$diff ssl.c ssl.c.orig
43d42
< #include <tls1.h>
67c66
< SSL_initialize(CONN \*C, const char \*servername)
---
> SSL_initialize(CONN \*C)
137,138d135
<   SSL_ctrl(C->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME,
<            TLSEXT_NAMETYPE_host_name, servername);

Build and install siege :

$./configure --with-ssl=/usr/local/


$make

$make install

$export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Run siege

$/usr/local/bin/siege -c 10 -t1M https://www.foo.com:3333/index.html

you can confirm that siege sent SNI TLS extension using ssltap.

3. References

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today