Topic: 30x Higher Server Response Time for TLS_DHE_RSA_AES256_GCM_SHA256
Hello,
currently, I am writing my master thesis on benchmarking different TLS libraries on their response time.
Basically, I measure the time on TCP level that the TLS server takes to respond to client messages for different cipher suites and handshake flows (normal, with resumption, with OCSP, etc.)
During my testing, I observed up to 30x longer response times for the first ServerHello message when using the WolfSSL server example for TLS1.2 cipher suites with DHE key exchange compared to ECDHE key exchange. I didn't see that behaviour with other libraries (like openssl).
Also, when using the DHE cipher suites for a resumption handshake, the time consumption is only high for resumption with session ID but not for resumption with session ticket.
Below I listed some details on the testsetup and testresults. The given values are the average response time of 1000 test repetitions.
The results are also visualized here https://wg.sebastianhahn.net/nextcloud/ … 7oCndHMHob. I also marked the details in a wireshark log for comparison: https://wg.sebastianhahn.net/nextcloud/ … aQZLBXtQZ8 (this wireshark log file only shows two repetitions to keep it managable - actual .pcap file is here: https://wg.sebastianhahn.net/nextcloud/ … rkxYisLYam)
Test Setup
wolfssl-5.7.2, configured with ./configure --enable-all
Usage of ./example/server/server -p 4444 -v 3 -c <RSA2048 CERT> -k <RSA2048 KEY> -d -i -f
TLS library for comparison was OpenSSL 3.3.1: ./openssl s_server -cert <RSA2048 CERT> -key <RSA2048 KEY> -port 4455
client and server are both running on local machine
Operating System: Ubuntu 22.04.4
Kernel: Linux 5.15.0-119-generic
Architecture: x86-64
Performed 1000 TLS handshakes for each testcase to derive statistical metrics
Results for Time Consumption of Server Response to ClientHello*
* when using a resumption handshake, we also only care about the first time the server responds to client hello / for the resuming handshake, the server response time was - as expected - always very low
Testcase: TLSv1.2, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, normal handshake
OpenSSL: 4.934 ms
WolfSSL: 144.376 ms
WolfSSL is taking around 30x more time for sending the response
Testcase: TLSv1.2, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, Session Resumption with Session ID
OpenSSL: 5.147 ms
WolfSSL: 144.938
WolfSSL is taking around 28x more time for sending the response
Testcase: TLSv1.2, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, Session Resumption with Session Ticket
OpenSSL: 4.869
WolfSSL: 7.88
WolfSSL is not drastically taking so much more time
For comparison I did the same tests just using ECDHE instead of DHE for the key exchange. Here I don't see any significant difference either between OpenSSL and WolfSSL or within WolfSSL between no resumption or with session ID or ticket.
Testcase: TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, normal handshake
OpenSSL: 6.283 ms
WolfSSL: 7.516 ms
Here the time usage of WolfSSL is not significantly different
Testcase: TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Session Resumption with Session ID
OpenSSL: 6.782 ms
WolfSSL: 8.437 ms
Here the time usage of WolfSSL is not significantly different
Testcase: TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Session Resumption with Session Ticket
OpenSSL: 6.292 ms
WolfSSL: 7.771 ms
Here the time usage of WolfSSL is not significantly different
It seems like that the time delay is dependent on the key exchange as we don't see it with ECDHE.
But I also find it interesting that the delay is only happening for DHE if we have no resumption or a resumption with session ID. The difference between those cases and resumption with session ticket could be how the session is treated. When using session tickets the session is usually considered stateless. But I am not sure whether this influences the internal statemachine of wolfSSL in any way that also affects the response times.
I would be very much interested whether others have seen similar artifacts.
It would be interesting to understand why this is happening and whether I should use the server example differently.
Thanks a lot!
Leonie