What am I missing to enable multi-SSL certificates for RSA/ECDSA in LSWS 5.4 ?

eva2000

eva2000

Well-Known Member
#1
#1
In LSWS 5.4 i have enabled multi-SSL certificates

httpd_config.xml set with <sslEnableMultiCerts>1</sslEnableMultiCerts>

Code: 
  <tuning>
    <eventDispatcher>best</eventDispatcher>
    <maxConnections>100000</maxConnections>
    <maxSSLConnections>100000</maxSSLConnections>
    <connTimeout>300</connTimeout>
    <maxKeepAliveReq>10000</maxKeepAliveReq>
    <smartKeepAlive>0</smartKeepAlive>
    <keepAliveTimeout>5</keepAliveTimeout>
    <sndBufSize>0</sndBufSize>
    <rcvBufSize>0</rcvBufSize>
    <maxReqURLLen>8192</maxReqURLLen>
    <maxReqHeaderSize>16380</maxReqHeaderSize>
    <maxReqBodySize>500M</maxReqBodySize>
    <maxDynRespHeaderSize>8K</maxDynRespHeaderSize>
    <maxDynRespSize>500M</maxDynRespSize>
    <maxCachedFileSize>4096</maxCachedFileSize>
    <totalInMemCacheSize>20M</totalInMemCacheSize>
    <maxMMapFileSize>256K</maxMMapFileSize>
    <totalMMapCacheSize>40M</totalMMapCacheSize>
    <useSendfile>1</useSendfile>
    <useAIO>1</useAIO>
    <AIOBlockSize>4</AIOBlockSize>
    <enableGzipCompress>1</enableGzipCompress>
    <enableDynGzipCompress>1</enableDynGzipCompress>
    <gzipCompressLevel>1</gzipCompressLevel>
    <compressibleTypes>text/*,application/x-javascript,application/javascript,application/xml,image/svg+xml,application/rss+xml</compressibleTypes>
    <gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
    <gzipStaticCompressLevel>6</gzipStaticCompressLevel>
    <gzipMaxFileSize>1M</gzipMaxFileSize>
    <gzipMinFileSize>300</gzipMinFileSize>
    <SSLCryptoDevice>null</SSLCryptoDevice>
    <sslEnableMultiCerts>1</sslEnableMultiCerts>
  </tuning>
443 port listener has
Code: 
    <listener>
      <name>HTTPS</name>
      <address>*:443</address>
      <reusePort>1</reusePort>
      <binding></binding>
      <secure>1</secure>
      <vhostMapList>
        <vhostMap>
          <vhost>Example</vhost>
          <domain>*</domain>
        </vhostMap>
      </vhostMapList>
      <keyFile>/etc/ssl/server.key</keyFile>
      <certFile>/etc/ssl/server.crt</certFile>
    </listener>
in /etc/ssl there's
  • - /etc/ssl/server.crt
  • - /etc/ssl/server.key
  • - /etc/ssl/server.crt.ecc
  • - /etc/ssl/server.key.ecc
but LSWS can only serve ECDSA ssl cipher HTTP/2 requests and fails when serving RSA ssl cipher requests ?

Code: 
h2load -t1 -c1 -n10 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 https://ipaddr/
starting benchmark...
spawning thread #0: 1 total client(s). 10 total requests

finished in 477us, 0.00 req/s, 0B/s
requests: 10 total, 0 started, 0 done, 0 succeeded, 10 failed, 10 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
                     min         max         mean         sd        +/- sd
time for request:        0us         0us         0us         0us     0.00%
time for connect:        0us         0us         0us         0us     0.00%
time to 1st byte:        0us         0us         0us         0us     0.00%
req/s           :       0.00        0.00        0.00        0.00   100.00%
Code: 
h2load -t1 -c1 -n10 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 https://ipaddr/
starting benchmark...
spawning thread #0: 1 total client(s). 10 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
Application protocol: http/1.1
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 20us, 500000.00 req/s, 645.16MB/s
requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 13.21KB (13530) total, 2.69KB (2750) headers (space savings 0.00%), 9.99KB (10230) data
                     min         max         mean         sd        +/- sd
time for request:       47us       188us        77us        42us    90.00%
time for connect:     2.87ms      2.87ms      2.87ms         0us   100.00%
time to 1st byte:     3.06ms      3.06ms      3.06ms         0us   100.00%
req/s           :    2680.71     2680.71     2680.71        0.00   100.00%
 
Last edited by a moderator:
M

mistwang

LiteSpeed Staff
#2
#2
If only

/etc/ssl/server.crt
/etc/ssl/server.key
Click to expand...
available, will it serve RSA cipher?

You can try making an extra copy
/etc/ssl/server.crt
/etc/ssl/server.key
Click to expand...
to
/etc/ssl/server.crt.rsa
/etc/ssl/server.key.rsa
Click to expand...
see if it load the RSA key. check if any error during server startup.

for the HTTP/1.1 fall back, I think it is an ALPN handshake problem for some reason. Maybe the h2load rpm only build with NPN, without ALPN.
LSWS only support ALPN now.
 
eva2000

eva2000

Well-Known Member
#3
#3
Yeah the HTTP/1.1 fall back is being discussed here https://github.com/http2benchmark/http2benchmark/issues/7 apparently there's an option in LSWS that disables HTTP/2 for localhost but trying <autoDisableHttp2>0</autoDisableHttp2> still shows h2load rpm version using HTTP/1.1 and not HTTP/2 for h2load.

http2benchmark server + client setup shows HTTP/2 h2load on client triggered tests but HTTP/1.1 on server end triggered local host tests. Both using same CentOS 7 h2load rpm via nghttp2 which is build against OpenSSL 1.0.2 so supports ALPN and h2 protocol so that isn't the problem.

I also modified http2benchmark fork of mine to add support for my nghttp2 docker image with newer h2load version built against OpenSSL 1.1.1 with TLSv1.3 support and same testing http2benchmark h2load newer version still shows HTTP/1.1 on local server tests but HTTP/2 on client end triggered tests.

As to RSA/ECDSA, I will try making an extra copy for *.rsa ending file names and see if that helps.
 
Last edited by a moderator:
eva2000

eva2000

Well-Known Member
#4
#4
Ok tried with .rsa too and still h2load fails testing LSWS 5.4 with multi-ssl cert enabled. Note same SSL certs used on nginx work for both RSA/ECDSA so rules out RSA cert issues.

rsa cipher failed
Code: 
h2load -n100 -c100 -t1 -T5 -m10 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip,deflate' https://ipaddr/1kgzip-static.html
starting benchmark...
spawning thread #0: 100 total client(s). 5000 total requests

finished in 9.41ms, 0.00 req/s, 0B/s
requests: 5000 total, 0 started, 0 done, 0 succeeded, 5000 failed, 5000 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
                     min         max         mean         sd        +/- sd
time for request:        0us         0us         0us         0us     0.00%
time for connect:        0us         0us         0us         0us     0.00%
time to 1st byte:        0us         0us         0us         0us     0.00%
req/s           :       0.00        0.00        0.00        0.00   100.00%
while ecdsa passes
Code: 
h2load -n100 -c100 -t1 -T5 -m10 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip,deflate' https://ipaddr/1kgzip-static.html
starting benchmark...
spawning thread #0: 100 total client(s). 100 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 64.94ms, 1540.00 req/s, 518.85KB/s
requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 33.69KB (34500) total, 17.87KB (18300) headers (space savings 39.40%), 9.28KB (9500) data
                     min         max         mean         sd        +/- sd
time for request:     5.53ms     24.81ms      7.60ms      5.26ms    91.00%
time for connect:    29.07ms     57.38ms     51.90ms      7.26ms    91.00%
time to 1st byte:    53.43ms     64.03ms     59.50ms      2.50ms    79.00%
req/s           :      15.60       18.69       16.83        0.73    79.00%

Code: 
ls -lah /etc/ssl/
total 40K
drwxr-xr-x.  2 root root 4.0K Aug 17 07:46 .
drwxr-xr-x. 82 root root 8.0K Aug 17 07:46 ..
lrwxrwxrwx   1 root root   16 May 23  2018 certs -> ../pki/tls/certs
-rw-r--r--   1 root root 1.5K Aug 17 07:46 http2benchmark.crt
-rw-r--r--   1 root root  956 Aug 17 07:46 http2benchmark.crt.ecc
-rw-r--r--   1 root root 1.5K Aug 17 07:46 http2benchmark.crt.rsa
-rw-r--r--   1 root root 1.7K Aug 17 07:46 http2benchmark.key
-rw-r--r--   1 root root  302 Aug 17 07:46 http2benchmark.key.ecc
-rw-r--r--   1 root root 1.7K Aug 17 07:46 http2benchmark.key.rsa
Code: 
  <tuning>
    <eventDispatcher>best</eventDispatcher>
    <maxConnections>100000</maxConnections>
    <maxSSLConnections>100000</maxSSLConnections>
    <connTimeout>300</connTimeout>
    <maxKeepAliveReq>10000</maxKeepAliveReq>
    <smartKeepAlive>0</smartKeepAlive>
    <keepAliveTimeout>5</keepAliveTimeout>
    <sndBufSize>0</sndBufSize>
    <rcvBufSize>0</rcvBufSize>
    <maxReqURLLen>8192</maxReqURLLen>
    <maxReqHeaderSize>16380</maxReqHeaderSize>
    <maxReqBodySize>500M</maxReqBodySize>
    <maxDynRespHeaderSize>8K</maxDynRespHeaderSize>
    <maxDynRespSize>500M</maxDynRespSize>
    <maxCachedFileSize>4096</maxCachedFileSize>
    <totalInMemCacheSize>20M</totalInMemCacheSize>
    <maxMMapFileSize>256K</maxMMapFileSize>
    <totalMMapCacheSize>40M</totalMMapCacheSize>
    <useSendfile>1</useSendfile>
    <useAIO>1</useAIO>
    <AIOBlockSize>4</AIOBlockSize>
    <enableGzipCompress>1</enableGzipCompress>
    <enableDynGzipCompress>1</enableDynGzipCompress>
    <gzipCompressLevel>1</gzipCompressLevel>
    <compressibleTypes>text/*,application/x-javascript,application/javascript,application/xml,image/svg+xml,application/rss+xml</compressibleTypes>
    <gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
    <gzipStaticCompressLevel>6</gzipStaticCompressLevel>
    <gzipMaxFileSize>1M</gzipMaxFileSize>
    <gzipMinFileSize>300</gzipMinFileSize>
    <SSLCryptoDevice>null</SSLCryptoDevice>
    <sslEnableMultiCerts>1</sslEnableMultiCerts>
  </tuning>
Code: 
  <listenerList>
    <listener>
      <name>HTTPS</name>
      <address>*:443</address>
      <reusePort>1</reusePort>
      <binding></binding>
      <secure>1</secure>
      <vhostMapList>
        <vhostMap>
          <vhost>Example</vhost>
          <domain>*</domain>
        </vhostMap>
      </vhostMapList>
      <keyFile>/etc/ssl/http2benchmark.key</keyFile>
      <certFile>/etc/ssl/http2benchmark.crt</certFile>
    </listener>
    <listener>
      <name>HTTP</name>
      <address>*:80</address>
      <secure>0</secure>
      <vhostMapList>
        <vhostMap>
          <vhost>Example</vhost>
          <domain>*</domain>
        </vhostMap>
      </vhostMapList>
    </listener>
  </listenerList>
update: if i change httpd_config.xml to below then RSA works but ECDSA fails
Code: 
      <keyFile>/etc/ssl/http2benchmark.key.rsa</keyFile>
      <certFile>/etc/ssl/http2benchmark.crt.rsa</certFile>
      <keyFile>/etc/ssl/http2benchmark.key.ecc</keyFile>
      <certFile>/etc/ssl/http2benchmark.crt.ecc</certFile>
 
Last edited by a moderator:
You must log in or register to reply here.
Top