Introduction
I was recently benchmarking to use of 4096-bit RSA certificates for some secure host communications. One of the servers was a raspberry pi, (lol) and the other was a beast of a machine with 128GB of RAM and 24 cores. Both of these devices would be communicating with each other as clients and servers, so they would each need to verify SSL certs.
Benchmarking
Noticing that there was significant lag on the Pi, I wanted to run some benchmarking. Up my sleeve I have a cool trick, which is the openssl speed command:
| openssl speed rsa |
You can pass your bit length to the rsa so it appears as rsa4096 if you don't want to test all possible lengths.
Interpreting the Results
If you take a look at the results, they provide some very useful results:
| To get the most accurate results, try to run this | |
| program when this computer is idle. | |
| Doing 512 bit private rsa's for 10s: 56089 512 bit private RSA's in 9.81s | |
| Doing 512 bit public rsa's for 10s: 801495 512 bit public RSA's in 9.82s | |
| Doing 1024 bit private rsa's for 10s: 13806 1024 bit private RSA's in 9.57s | |
| Doing 1024 bit public rsa's for 10s: 273265 1024 bit public RSA's in 9.39s | |
| Doing 2048 bit private rsa's for 10s: 2849 2048 bit private RSA's in 9.63s | |
| Doing 2048 bit public rsa's for 10s: 114176 2048 bit public RSA's in 9.69s | |
| Doing 4096 bit private rsa's for 10s: 421 4096 bit private RSA's in 9.52s | |
| Doing 4096 bit public rsa's for 10s: 27233 4096 bit public RSA's in 9.34s | |
| OpenSSL 0.9.8zc 15 Oct 2014 | |
| built on: Nov 12 2014 | |
| options:bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) blowfish(idx) | |
| compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6 | |
| available timing options: TIMEB USE_TOD HZ=100 [sysconf value] | |
| timing function used: getrusage | |
| sign verify sign/s verify/s | |
| rsa 512 bits 0.000175s 0.000012s 5718.5 81605.7 | |
| rsa 1024 bits 0.000693s 0.000034s 1442.0 29109.5 | |
| rsa 2048 bits 0.003379s 0.000085s 295.9 11787.6 | |
| rsa 4096 bits 0.022606s 0.000343s 44.2 2916.7 |
Conclusion
As you can see above, we can sustain the signing of 4096-bit rsa's at 44.2 a second. Since this box does not actively sign or serve as a CA, and will only be verifying the certs, let's look at the verify metric. On our current hardware, miraculously, we can verify 2916.7 certs a second signed with rsa4096. This is more than acceptable, since we won't be making more than 1 HTTP request a second.
I'll be posting another article soon about stress testing nginx and SSL offloading.
