Benchmark SSL/TLS certs: selfsigned vs signed (trusted)

clarkk

10/19/23, 12:47 AM

I have two servers. A production server with a signed (trusted ca) cert and a test server with a self-signed cert.

How big is the difference between the two handshakes?

Because when benchmarking the two servers the self-signed handles ~90 req/sec where the trusted ca cert ~17 req/sec

The server with the self-signed cert handles about 5 times as many reuests per second as the trusted ca cert

Both servers use TLSv1.3,TLS_AES_128_GCM_SHA256,2048,128

update

The client is the same in both tests and OCSP is not enabled on the server. The server is go-http and use the same build binary. As far I know OCSP is not supported native in go-http

The size of the self-signed cert is 1.27KB so guess it's 1024 bit

The size of the signed cert is 2.13KB so probably it's 2048 bit (the full chain is 3.72KB intermediate + public)

0 + 4

Steffen Ullrich

10/19/23, 4:37 AM

This does not look like a cryptography question to me, maybe try [security.se]. But without knowing more details of this the question cannot be answered. Specifically: is the client the same in both cases, does the client verify the certificates, does the client check OCSP, how large are the certificates including their intermediate on the wire, how much packets are needed for this on the wire ...

clarkk

10/19/23, 6:33 AM

@SteffenUllrich have updated my question.. maybe the size of the cert explains the big difference?

Maarten Bodewes

10/19/23, 9:56 AM

Impossible to tell without details, but generally the certificate chain is send up to but excluding the trust anchor (which is optional, but best left out). So it might definitely impact communication if a self-signed cert is used - especially if the request / response is small of course. Trust path creation / verification will likely also take more time.

bmm6o

10/19/23, 6:03 PM

This is a little outside my area, but I'd be concerned that your tests are saying what you think they are saying. If you are benchmarking servers, should you exclude the time the client spends validating the certificate? Another approach would be to make sure you are running enough clients in parallel that you can be sure you are consuming all of the server's available resources. The rate that a single validating client can create connections sequentially is not a very useful measure.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Benchmark SSL/TLS certs: selfsigned vs signed (trusted)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.