Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tempesta-tech/tls-perf

TLS handshakes benchnarking tool
https://github.com/tempesta-tech/tls-perf

benchmark ddos performance tls

Last synced: 5 days ago
JSON representation

TLS handshakes benchnarking tool

Host: GitHub
URL: https://github.com/tempesta-tech/tls-perf
Owner: tempesta-tech
License: gpl-2.0
Created: 2020-04-14T20:04:19.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-09-13T12:02:42.000Z (about 1 year ago)
Last Synced: 2024-03-26T06:10:54.131Z (8 months ago)
Topics: benchmark, ddos, performance, tls
Language: C++
Homepage:
Size: 80.1 KB
Stars: 45
Watchers: 13
Forks: 9
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# TLS handshakes benchmarking tool

A tool to stress test the TLS handshake by triggering processor intensive
cryptographic computations on the server side.

Inspired by and partially based on THC-SSL-DOS tool (see the fork of the
original tool at https://github.com/azet/thc-tls-dos). The key differences
from the THC tool are:

1. this benchmark does TLS handshake only and quickly resets TCP connection.
It doesn't try to send or read any data or execute a renegotiation.

2. this benchmark is multi-threaded and with better `epoll()` based IO, more
efficient state machine and less looping. Multi-threading is required for
ECC handshakes with the cryptographic calculations more expensive on
the client side than on the server side.

3. Much richer statistics.

# Usage

## Build
```
$ make
g++ -O2 -march=native -mtune=native -Wall -DL1DSZ=64 -c main.cc -o main.o
g++ -o tls-perf main.o -lpthread -lssl -lcrypto
```

## Using custom openssl build
Provide `Makefile.local` with two variables:
```
SSL_INCLUDE := /path/to/ssl/include/dir
SSL_LIBDIR := /path/to/ssl/libdir
```

This would add specified directories to compiler/linker search paths and also would
add rpath to the resulting binary.

## Help
```
$ ./tls-perf --help

./tls-perf [options]
-h,--help Print this help and exit
-d,--debug Run in debug mode
-q,--quiet Show less statistics in the run time
-l Limit parallel connections for each thread (default: 1)
-n Total number of handshakes to establish
-t Number of threads (default: 1).
-T,--to Duration of the test (in seconds)
-c Force cipher choice
(use `openssl ciphers` to list available cipher suites),
-C Force specific curve for elliptic curve algorithms (use
`openssl ecparam -list_curves` to list available curves).
-V,--tls Set TLS version for handshake:
'1.2', '1.3' or 'any' for both (default: '1.2')
-K,--tickets Process TLS Session tickets and session resumption,
'on', 'off' or 'advertise', (default: 'off')
-F,--keylogfile File to dump keys for traffic analysers
-s,--sni SNI to use for the given

127.0.0.1:443 address is used by default.

To list available ciphers on a remote peer use:
$ nmap --script ssl-enum-ciphers -p

```

## Examples

Bechmark TLS v1.3 handshakes for 10 seconds through 8 threads with 100
concurrent connections in each tread:
```
./tls-perf -T 10 -l 100 -t 8 --tls 1.3 192.168.76.7 8081
```

Bechmark 100 handshakes, leave TLS version and cipher choice for OpenSSL:
```
./tls-perf -n 100 --tls any ::1 8081
```

## Run

**tls-perf** starts to establish new connections slowly and prints
```
( All peers are active, start to gather statistics )
```
This time all the requested peers managing all the requested connections are
active and **tls-perf** starts to gather statistics for the final report. Thus,
you might see smaller number for `MEASURES` than you saw per-second statistic
lines.

The slow start also warms up all the caches of the benchmarked system, so
you don't need to make additional load before the benchmark.

```
$ ./tls-perf -l 1000 -t 2 -T 10 192.168.100.4 443
Running TLS benchmark with following settings:
Host: 192.168.100.4 : 443
TLS version: 1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
TLS tickets: off
Duration: 3000

set open files limit to 2008
TLS hs in progress 252 [382 h/s], TCP open conns 252 [146 hs in progress], Errors 0
TLS hs in progress 400 [495 h/s], TCP open conns 400 [497 hs in progress], Errors 0
TLS hs in progress 549 [620 h/s], TCP open conns 549 [932 hs in progress], Errors 0
( All peers are active, start to gather statistics )
TLS hs in progress 834 [448 h/s], TCP open conns 834 [1071 hs in progress], Errors 0
TLS hs in progress 945 [548 h/s], TCP open conns 945 [1055 hs in progress], Errors 0
TLS hs in progress 908 [529 h/s], TCP open conns 908 [1092 hs in progress], Errors 0
TLS hs in progress 946 [603 h/s], TCP open conns 946 [1047 hs in progress], Errors 0
TLS hs in progress 969 [615 h/s], TCP open conns 969 [1031 hs in progress], Errors 0
TLS hs in progress 994 [618 h/s], TCP open conns 994 [1006 hs in progress], Errors 0
TLS hs in progress 941 [585 h/s], TCP open conns 941 [1059 hs in progress], Errors 0
========================================
TOTAL: SECONDS 7; HANDSHAKES 5443
MEASURES (seconds): MAX h/s 618; AVG h/s 561; 95P h/s 448; MIN h/s 448
LATENCY (microseconds): MIN 26; AVG 50; 95P 74; MAX 3945
```

`95P` parameters in resulting statistics show 95'th percentile: 95% of TLS
handshakes per second measurements are better than the number and 95% of TLS
handshakes require less microseconds than the number.