Impact of SSL

TheMSsForum.com: The Microsoft Software Forum

Hello all,

I administer servers that run a busy web application. The IIS servers
are load balanced, currently Windows 2000 Advanced Server but upgrading
to 2003 very soon.

At the moment, only the login process is always secured. A fully SSL
secured session is an optional extra that the user can choose at logon.

We're looking to move to forcing SSL across the whole application and
removing the possibility of a plain HTTP session.

We need to be sure that we still have the capacity to cope after the
switchover. Does anyone know what kind of performance/capacity impact
this might have on our webservers? I guess it's probably hard to gague
without some kind of stress testing tool - can anyone recommend anything?

Thanks in advance,

--
Chris M.

Remove pants to email me.
Top

Re: Impact of SSL by Ken

Ken
Wed Nov 14 20:47:34 PST 2007

With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves the
most expensive part of the SSL/TLS process (the handshake) into kernel mode,
and removes a number of context switches between user mode (LSASS) and
kernel mode (http.sys). With that, you can expect about a 10% degradation in
performance. That number varies depending on how long your key lengths are
(stronger keys = more overhead), and what ratio of session setup /
established sessiont traffic you have.

If you are running into performance issues, yuo could just add another box.
Or look at an SSL offloading device to place in front of your servers.

Cheers
Ken

"Chris M" <News@mckeownpants-online.com> wrote in message
news:fheg0t$tra$1@aioe.org...
>
> Hello all,
>
> I administer servers that run a busy web application. The IIS servers are
> load balanced, currently Windows 2000 Advanced Server but upgrading to
> 2003 very soon.
>
> At the moment, only the login process is always secured. A fully SSL
> secured session is an optional extra that the user can choose at logon.
>
> We're looking to move to forcing SSL across the whole application and
> removing the possibility of a plain HTTP session.
>
> We need to be sure that we still have the capacity to cope after the
> switchover. Does anyone know what kind of performance/capacity impact this
> might have on our webservers? I guess it's probably hard to gague without
> some kind of stress testing tool - can anyone recommend anything?
>
> Thanks in advance,
>
> --
> Chris M.
>
> Remove pants to email me.

Top

Re: Impact of SSL by Chris

Chris
Thu Nov 15 01:25:18 PST 2007

Ken Schaefer wrote:
> With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves
> the most expensive part of the SSL/TLS process (the handshake) into
> kernel mode, and removes a number of context switches between user mode
> (LSASS) and kernel mode (http.sys). With that, you can expect about a
> 10% degradation in performance. That number varies depending on how long
> your key lengths are (stronger keys = more overhead), and what ratio of
> session setup / established sessiont traffic you have.
>
> If you are running into performance issues, yuo could just add another
> box. Or look at an SSL offloading device to place in front of your servers.
>
> Cheers
> Ken

Thanks Ken,

I'll be looking at hardware SSL devices today to see what sort of cost
we should expect.

Cheers,

Chris.


> "Chris M" <News@mckeownpants-online.com> wrote in message
> news:fheg0t$tra$1@aioe.org...
>>
>> Hello all,
>>
>> I administer servers that run a busy web application. The IIS servers
>> are load balanced, currently Windows 2000 Advanced Server but
>> upgrading to 2003 very soon.
>>
>> At the moment, only the login process is always secured. A fully SSL
>> secured session is an optional extra that the user can choose at logon.
>>
>> We're looking to move to forcing SSL across the whole application and
>> removing the possibility of a plain HTTP session.
>>
>> We need to be sure that we still have the capacity to cope after the
>> switchover. Does anyone know what kind of performance/capacity impact
>> this might have on our webservers? I guess it's probably hard to gague
>> without some kind of stress testing tool - can anyone recommend anything?
>>
>> Thanks in advance,
Top

Re: Impact of SSL by DaveMo

DaveMo
Fri Nov 16 06:53:59 PST 2007

On Nov 14, 8:47 pm, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
wrote:
> With Windows Server 2003 SP1, you can enable kernel-mode SSL. This moves the
> most expensive part of the SSL/TLS process (the handshake) into kernel mode,
> and removes a number of context switches between user mode (LSASS) and
> kernel mode (http.sys). With that, you can expect about a 10% degradation in
> performance. That number varies depending on how long your key lengths are
> (stronger keys = more overhead), and what ratio of session setup /
> established sessiont traffic you have.
>
> If you are running into performance issues, yuo could just add another box.
> Or look at an SSL offloading device to place in front of your servers.
>
> Cheers
> Ken
>
> "Chris M" <N...@mckeownpants-online.com> wrote in message
>
> news:fheg0t$tra$1@aioe.org...
>
>
>
>
>
> > Hello all,
>
> > I administer servers that run a busy web application. The IIS servers are
> > load balanced, currently Windows 2000 Advanced Server but upgrading to
> > 2003 very soon.
>
> > At the moment, only the login process is always secured. A fully SSL
> > secured session is an optional extra that the user can choose at logon.
>
> > We're looking to move to forcing SSL across the whole application and
> > removing the possibility of a plain HTTP session.
>
> > We need to be sure that we still have the capacity to cope after the
> > switchover. Does anyone know what kind of performance/capacity impact this
> > might have on our webservers? I guess it's probably hard to gague without
> > some kind of stress testing tool - can anyone recommend anything?
>
> > Thanks in advance,
>
> > --
> > Chris M.
>
> > Remove pants to email me.- Hide quoted text -
>
> - Show quoted text -

I did a series of tests back in 2003 on Server 2003 and measured the
perf impact of encrypting the data stream as something around 5%. This
is pure CPU overhead as there was no other measurable or observed
impact. This discounts the cost of doing the handshake, but that
matches your scenario since you are doing the handshake already during
authentication.

HTH,
Dave
Top