feat: use different public-key length certs for TLS #2080

DeagleGross · 2025-03-31T16:40:09Z

I've noticed, that certificate length heavily contributes to the TLS speed (4096 bit vs 2048 bit). I have seen http.sys using 2048 bit length cert, and kestrel using a testCert.pfx which is 4096 bit length, meaning tests are unfair.

Besides updating certificates on the machines, I prepared a separate nginx test (with a possibility to specify a cert length) and updated http.sys + kestrel benchmarks to have such a parameter (http.sys now issues a cert before each run and kestrel uses pre-created certs)

Here are the RPS values for some random run on a server using different cert lengths

Cert length \ Server	Nginx	Kestrel	Http.Sys
2048	2,167	1436	1250-1450 (depending on EC curve)
4096	491	443	439

sebastienros · 2025-03-31T19:30:29Z

fyi we already have some docker file and config and certs using nginx. At least if there is a reason to create a new one then some things should be reused: https://github.com/aspnet/Benchmarks/blob/main/docker/nginx/nginx-https.conf

sebastienros · 2025-04-03T16:00:24Z

Can you check there aren't secrets / keys to add in the configuration files to prevent credscan from blocking internal merges?

DeagleGross added 11 commits March 31, 2025 14:37

try nginx

d96029e

logging

7a3c5f5

add to scenario config

15a55ef

try copilot advice

f1b6034

disable tmp

844a869

add wrk config

5c58b94

try wrk?

5606410

add log for ssl again + httpclient

48a7b54

remove logging

ac6b54d

log off?

0ae4109

disable resumption?

42fdefa

DeagleGross self-assigned this Mar 31, 2025

DeagleGross added 2 commits March 31, 2025 18:55

wroker processes 4

fb2f00d

affinity

8aa3911

DeagleGross force-pushed the dmkorolev/nginx branch from 5c0d99b to 8aa3911 Compare April 1, 2025 11:35

DeagleGross added 14 commits April 1, 2025 13:43

try with other cert

101dacc

2 different certs

ef0edf6

update cert for nginx + kestrel

86ca436

configure bit length

ed3a43c

try with other context dir?

2c72fc0

fix paths and build context!

37c7b5c

pre-configure properly!

369ee94

also delete a cert from the store

b81e10b

properly reuse cert

fd052b8

configure param

e9b649b

nah delete cert is a good step

daff6fb

go go cert length!!!

88864bb

try again

b512bcf

push certs!

54a2def

DeagleGross added 4 commits April 3, 2025 11:55

different cert

c32ea5b

regenerate certs (20 years long)

4013254

pass the parameter

a6701a1

Merge branch 'main' into dmkorolev/nginx

65c9f73

DeagleGross changed the title ~~feat: nginx to test TLS speed~~ feat: use different public-key length certs for TLS Apr 3, 2025

DeagleGross added 2 commits April 3, 2025 13:02

prepare reset

c6615a1

fill in cred scan

9212997

DeagleGross merged commit 1d7322b into aspnet:main Apr 3, 2025
2 checks passed

DeagleGross deleted the dmkorolev/nginx branch April 3, 2025 11:16

DeagleGross mentioned this pull request Apr 3, 2025

fix: fix path to user cert for TLS scenarios #2083

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: use different public-key length certs for TLS #2080

feat: use different public-key length certs for TLS #2080

DeagleGross commented Mar 31, 2025 •

edited

Loading

sebastienros commented Mar 31, 2025

sebastienros commented Apr 3, 2025

feat: use different public-key length certs for TLS #2080

feat: use different public-key length certs for TLS #2080

Conversation

DeagleGross commented Mar 31, 2025 • edited Loading

sebastienros commented Mar 31, 2025

sebastienros commented Apr 3, 2025

DeagleGross commented Mar 31, 2025 •

edited

Loading