[Ach] Testing with openssl s_time fails using nginx recommendations

Pepi Zawodsky pepi.zawodsky at maclemon.at
Thu Sep 1 01:09:28 CEST 2016


> On 31 Aug 2016, at 13:31, Kjetil Birkeland Moe <kjetil at skifremme.no> wrote:
> Is this problem due to the nginx config, or with OpenSSL?
Yes. :-)

> "openssl s_time -connect bettercrypto.org:443 -cipher AES128-GCM-SHA256 -time 2"

s_time requires SSLv3 to be available on the server. You may turn off TLS handshakes by passing -ssl3 (which is pretty useless these days). s_time doesn’t accept protocol options like s_client does so one can’t make it work with TLS only.

Of course your server must not have SSLv3 enabled for POODLE reasons.

From the man page of openssl(1):

Because this program does not have all the options of the s_client program to turn protocols on and off, you may not be able to measure the performance of all protocols with all servers.


Here’s a little snippet that I use to get a rough estimate of the tcp and TLS timings.

$ seq 5 | xargs -I@ -n1 curl -so /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://bettercrypto.org/

tcp:0.024, ssldone:0.321
tcp:0.019, ssldone:0.307
tcp:0.026, ssldone:0.313
tcp:0.016, ssldone:0.308
tcp:0.031, ssldone:0.330

You can get a bunch other timings with curl(1), just search for “time_” in the man page.
If you want to skip cert verification you can also pass -k, --insecure to curl.

Hope this helps!
Best regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20160901/2db8783a/attachment.sig>

More information about the Ach mailing list