tuxmain/tlsbench
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixes, TLS1.2

Browse source
This commit is contained in:
Pascal Engélibert 2026-01-23 13:56:19 +01:00
commit 08fd52eedb
3 changed files with 105 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -242,6 +242,12 @@ Start the record proxy:
Just browse. Any traffic to and from the selected names will be recorded. Terminate netplayer with CTRL+C when finished. Just browse. Any traffic to and from the selected names will be recorded. Terminate netplayer with CTRL+C when finished.
#### Incomplete records
The last HTTP payload of a record may be incomplete. If that happens, the run command will hang and display the faulty record number after a timeout.
Re-run with `-d --record <record-number>` and note the missing packet number.
Run `netreplay <record-file> remove <new-record-file> <record-number> <packet-number>` to remove the packet.
### Measure ### Measure
Measure resource cost on a different machine. Measure resource cost on a different machine.

54
exp.py
View file

@ -15,7 +15,7 @@ CONFIGS = {
"server-local", "server-local",
], ],
"records": [ "records": [
{ "filename": "wikipedia", "repeat": 1 }, { "filename": "youtube", "repeat": 1 },
], ],
"repodir": "/home/tuxmain/reps/tlsbench", "repodir": "/home/tuxmain/reps/tlsbench",
"expdir": "/dev/shm/exp", "expdir": "/dev/shm/exp",
@ -74,7 +74,7 @@ CONFIGS = {
"server", "server",
], ],
"records": [ "records": [
{ "filename": "wikipedia", "repeat": 500 }, { "filename": "wikipedia", "repeat": 400 },
], ],
"repodir": "/home/tuxmain/reps/tlsbench", "repodir": "/home/tuxmain/reps/tlsbench",
"expdir": "/dev/shm/exp", "expdir": "/dev/shm/exp",
@ -184,8 +184,9 @@ CONFIGS = {
"i5": { "i5": {
"experiments": [ "experiments": [
"impl-cipher-ver", "impl-cipher-ver",
#"impl-cert-ver", "impl-cert-ver",
#"impl-kex-ver", "impl-kex-ver",
"zrtt",
], ],
"setups": [ "setups": [
"none", "none",
@ -301,11 +302,11 @@ CERT_SIGN_ALGS = [
] ]
IMPLS = [ IMPLS = [
"aws_lc", # Amazon's Rust crypto widely used in Rust stuff "aws_lc", # Amazon's Rust crypto widely used in Rust stuff
#"boring", # Google's fork of OpenSSL used in Chrome and Android "boring", # Google's fork of OpenSSL used in Chrome and Android
#"graviola", # New crypto in Rust "graviola", # New crypto in Rust
#"openssl", # widely used "openssl", # widely used
#"ring", # used in most Rust stuff "ring", # used in most Rust stuff
#"symcrypt", # Microsoft's crypto "symcrypt", # Microsoft's crypto
#"wolfcrypt" # used in embedded (won't build with rpxy for now) #"wolfcrypt" # used in embedded (won't build with rpxy for now)
] ]
# Symmetric ciphers # Symmetric ciphers
@ -340,9 +341,9 @@ EXPERIMENTS = {
"AES_128_GCM_SHA256", "AES_128_GCM_SHA256",
"AES_256_GCM_SHA384", "AES_256_GCM_SHA384",
"CHACHA20_POLY1305_SHA256", "CHACHA20_POLY1305_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
#"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
], ],
"kexes": ["X25519"], "kexes": ["X25519"],
"cert": ["prime256v1"], "cert": ["prime256v1"],
@ -353,7 +354,7 @@ EXPERIMENTS = {
"impls": IMPLS, "impls": IMPLS,
"ciphers": [ "ciphers": [
"AES_128_GCM_SHA256", "AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
], ],
"kexes": ["X25519"], "kexes": ["X25519"],
"cert": [ "cert": [
@ -370,7 +371,7 @@ EXPERIMENTS = {
"impls": IMPLS, "impls": IMPLS,
"ciphers": [ "ciphers": [
"AES_128_GCM_SHA256", "AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
], ],
"kexes": [ "kexes": [
"X25519", "X25519",
@ -385,17 +386,11 @@ EXPERIMENTS = {
}, },
# Compare 0-RTT with no early data # Compare 0-RTT with no early data
"zrtt": { "zrtt": {
"impls": [ "impls": IMPLS,
"aws_lc",
#"ring"
],
"ciphers": [ "ciphers": [
"AES_128_GCM_SHA256", "AES_128_GCM_SHA256",
#"AES_256_GCM_SHA384", #"AES_256_GCM_SHA384",
#"CHACHA20_POLY1305_SHA256", #"CHACHA20_POLY1305_SHA256",
#"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,ECDHE_RSA_WITH_AES_128_GCM_SHA256",
#"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384",
#"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
], ],
"kexes": ["X25519"], "kexes": ["X25519"],
"cert": ["prime256v1"], "cert": ["prime256v1"],
@ -415,6 +410,9 @@ EXPERIMENTS = {
# Some algorithms are not available in all implementations # Some algorithms are not available in all implementations
def alg_filter(kex, cert, cipher, impl): def alg_filter(kex, cert, cipher, impl):
if "MLKEM" in kex and "WITH" in cipher:
# WITH means TLS1.2
return False
if "MLKEM" in kex and impl != "openssl" and impl != "aws_lc" and impl != "graviola": if "MLKEM" in kex and impl != "openssl" and impl != "aws_lc" and impl != "graviola":
return False return False
if kex == "SECP256R1MLKEM768" and impl == "openssl": if kex == "SECP256R1MLKEM768" and impl == "openssl":
@ -425,6 +423,8 @@ def alg_filter(kex, cert, cipher, impl):
return False return False
if kex == "MLKEM768" and impl == "graviola": if kex == "MLKEM768" and impl == "graviola":
return False return False
#if cipher == "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,ECDHE_RSA_WITH_AES_256_GCM_SHA384" and impl == "openssl":
# return False
return True return True
DOMAINS = [] DOMAINS = []
@ -533,6 +533,7 @@ def make_certs(outdir, domains, alg, make_ca):
make_cert(outdir+root+".crt", outdir+root+".key", outdir+"ca.crt", outdir+"ca.key", root, roots[root]) make_cert(outdir+root+".crt", outdir+root+".key", outdir+"ca.crt", outdir+"ca.key", root, roots[root])
# Make a cert for all domains because choosing a certificate as a proxy is a real pain # Make a cert for all domains because choosing a certificate as a proxy is a real pain
# It is used by netreplay when recording. Rpxy will use specific certs.
make_sk(outdir+"all.key", alg) make_sk(outdir+"all.key", alg)
make_cert(outdir+"all.crt", outdir+"all.key", outdir+"ca.crt", outdir+"ca.key", "wikipedia.org", domains) make_cert(outdir+"all.crt", outdir+"all.key", outdir+"ca.crt", outdir+"ca.key", "wikipedia.org", domains)
@ -688,7 +689,7 @@ def choose_impl(expdir, p, impl):
expdir += "/" expdir += "/"
os.symlink(os.getcwd()+"/rpxy_rustls_"+impl, expdir+str(p)+"_rpxy", False) os.symlink(os.getcwd()+"/rpxy_rustls_"+impl, expdir+str(p)+"_rpxy", False)
def run_netreplay(expdir, repodir, record, p2_addr, p2_port, listen_port, tls_mode, only_record=None, ciphers=None, kexes=None, earlydata="0"): def run_netreplay(expdir, repodir, record, p2_addr, p2_port, listen_port, tls_mode, only_record=None, ciphers=None, kexes=None, earlydata="0", debug=False):
if expdir[-1] != "/": if expdir[-1] != "/":
expdir += "/" expdir += "/"
repodir = repodir.removesuffix("/") repodir = repodir.removesuffix("/")
@ -700,6 +701,8 @@ def run_netreplay(expdir, repodir, record, p2_addr, p2_port, listen_port, tls_mo
cmd = [repodir+"/netreplay", repodir+"/records/"+record["filename"], "play", p2_addr, str(p2_port), str(listen_port), expdir+"current_certs", tls_mode, "-r", str(record["repeat"]), cmd = [repodir+"/netreplay", repodir+"/records/"+record["filename"], "play", p2_addr, str(p2_port), str(listen_port), expdir+"current_certs", tls_mode, "-r", str(record["repeat"]),
#"--record", "21" #"--record", "21"
] ]
if debug:
cmd.append("-d")
if only_record != None: if only_record != None:
cmd += ["--record", only_record] cmd += ["--record", only_record]
print(" ".join(cmd)) print(" ".join(cmd))
@ -754,7 +757,7 @@ def get_rapl_energy(ssh, repodir):
energy += int(item) energy += int(item)
return energy return energy
def run_exp(config, only_record=None, idle=False, shutdown=False): def run_exp(config, only_record=None, idle=False, shutdown=False, debug=False):
ssh = None ssh = None
if "p2_ssh" in config: if "p2_ssh" in config:
ssh = connect_ssh(config) ssh = connect_ssh(config)
@ -899,6 +902,7 @@ def run_exp(config, only_record=None, idle=False, shutdown=False):
ciphers=cipher, ciphers=cipher,
kexes=kex, kexes=kex,
earlydata=earlydata, earlydata=earlydata,
debug=debug,
) )
# TODO detect when netreplay has finished # TODO detect when netreplay has finished
@ -1032,6 +1036,7 @@ Run options:
--record <id> Only play this record --record <id> Only play this record
--idle Also measure when idle --idle Also measure when idle
--shutdown Shutdown host and target when finished --shutdown Shutdown host and target when finished
--debug Print netreplay's debug
""".format( """.format(
sig_algs = " ".join(CERT_SIGN_ALGS), sig_algs = " ".join(CERT_SIGN_ALGS),
configs = " ".join([i for i in CONFIGS]), configs = " ".join([i for i in CONFIGS]),
@ -1092,7 +1097,8 @@ Run options:
print("Cannot power off") print("Cannot power off")
exit(1) exit(1)
run_exp(config, only_record=getargv("--record", None), idle="--idle" in sys.argv, shutdown=shutdown) debug = "--debug" in sys.argv
run_exp(config, only_record=getargv("--record", None), idle="--idle" in sys.argv, shutdown=shutdown, debug=debug)
if shutdown: if shutdown:
bus_proxy.PowerOff(False) bus_proxy.PowerOff(False)

86
plots.py
View file

@ -48,6 +48,8 @@ COL = {
"cert": "alg", "cert": "alg",
"kex": "kex", "kex": "kex",
"ed": "ed", "ed": "ed",
"side": "setup",
"record": "record",
} }
# Physical units by object # Physical units by object
UNIT = { UNIT = {
@ -142,7 +144,7 @@ replot
f.close() f.close()
os.system("gnuplot {plots_dir}/{object}_by_{criterion}_{side}_{record}.gnuplot".format(plots_dir=PLOTS_DIR, **kwargs)) os.system("gnuplot {plots_dir}/{object}_by_{criterion}_{side}_{record}.gnuplot".format(plots_dir=PLOTS_DIR, **kwargs))
def make_log_plot(logs, exp, criterion, side, obj, record, machine=None): def make_log_plot(logs, exp, criterion, side, obj, record, machine=None, version=None):
f = open(f"/dev/shm/plots/{obj}_by_{criterion}_{side}_{record}.dat", "w") f = open(f"/dev/shm/plots/{obj}_by_{criterion}_{side}_{record}.dat", "w")
ciphers = {} ciphers = {}
impls = [] impls = []
@ -162,6 +164,12 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None):
for log in logs: for log in logs:
if log["exp"] == exp and log["record"] == record and log["setup"] == side: if log["exp"] == exp and log["record"] == record and log["setup"] == side:
#ver = VER_LABEL[log["cipher"]]
#if log[COL[criterion]]+"/"+ver not in ciphers:
# ciphers[log[COL[criterion]]+"/"+ver] = {}
#ciphers[log[COL[criterion]]+"/"+ver][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"])
if version != None and VER_LABEL[log["cipher"]] != version:
continue
if log[COL[criterion]] not in ciphers: if log[COL[criterion]] not in ciphers:
ciphers[log[COL[criterion]]] = {} ciphers[log[COL[criterion]]] = {}
ciphers[log[COL[criterion]]][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"]) ciphers[log[COL[criterion]]][log["impl"]] = float(log[COL[obj]]) - idle_val * float(log["time"])
@ -174,14 +182,15 @@ def make_log_plot(logs, exp, criterion, side, obj, record, machine=None):
for impl in impls: for impl in impls:
if impl not in ciphers[cipher]: if impl not in ciphers[cipher]:
ciphers[cipher][impl] = 0 ciphers[cipher][impl] = 0
"""f.write("{}({}) - {}\n".format( #cipher_parts = cipher.split("/")
ALG_LABEL[cipher], #f.write("{}({}) - {}\n".format(
VER_LABEL[log["cipher"]], # ALG_LABEL[cipher_parts[0]],
" ".join([ # cipher_parts[1],
str(ciphers[cipher][impl]) # " ".join([
for impl in impls # str(ciphers[cipher][impl])
]), # for impl in impls
))""" # ]),
#))
f.write("{} - {}\n".format( f.write("{} - {}\n".format(
ALG_LABEL[cipher], ALG_LABEL[cipher],
" ".join([ " ".join([
@ -298,6 +307,48 @@ def make_linear_regression(logs):
#plt.show() #plt.show()
plt.savefig(f"{PLOTS_DIR}/correlation_energy_cpu.png") plt.savefig(f"{PLOTS_DIR}/correlation_energy_cpu.png")
# Measure relative difference between TLS versions
def cmp_versions(logs, exps, criteria, objs):
ciphers = {}
idle_val = None
for log in logs:
if log["exp"] == "idle":
idle_val = {obj:float(log[COL[obj]]) / float(log["time"]) for obj in objs}
for log in logs:
if log["exp"] not in exps or log["setup"] == "none":
continue
ver = VER_LABEL[log["cipher"]]
if ver not in ciphers:
ciphers[ver] = {}
key = []
for criterion in criteria:
key.append(ALG_LABEL.get(log[COL[criterion]], log[COL[criterion]]))
key = "/".join(key)
if key not in ciphers[ver]:
ciphers[ver][key] = log
diff_rel_max = {obj:0.0 for obj in objs}
diff_rel_sum = {obj:0.0 for obj in objs}
diff_rel_num = {obj:0 for obj in objs}
for key in ciphers["1.2"]:
if key not in ciphers["1.3"]:
continue
log12 = ciphers["1.2"][key]
log13 = ciphers["1.3"][key]
for obj in objs:
val12 = float(log12[COL[obj]]) - idle_val[obj] * float(log12["time"])
val13 = float(log13[COL[obj]]) - idle_val[obj] * float(log13["time"])
# Difference relative to the mean of the two values
diff_rel = abs(val12 - val13) / ((val12 + val13) / 2)
diff_rel_max[obj] = max(diff_rel_max[obj], diff_rel)
diff_rel_sum[obj] += diff_rel
diff_rel_num[obj] += 1
diff_rel_avg = {obj:diff_rel_sum[obj]/diff_rel_num[obj] for obj in objs}
print("Diff rel max: ", diff_rel_max)
print("Diff rel avg: ", diff_rel_avg)
def getargv(arg:str, default="", n:int=1, args:list=sys.argv): def getargv(arg:str, default="", n:int=1, args:list=sys.argv):
if arg in args and len(args) > args.index(arg)+n: if arg in args and len(args) > args.index(arg)+n:
return args[args.index(arg)+n] return args[args.index(arg)+n]
@ -331,16 +382,17 @@ if __name__ == "__main__":
machine = getargv("-m", None) machine = getargv("-m", None)
if cmd == "log": if cmd == "log":
cmp_versions(logs, ["impl-cipher-ver", "impl-cert-ver", "impl-kex-ver"], ["side", "cipher", "cert", "kex", "record"], ["cpu", "energy"])
for side in ["client", "server"]: for side in ["client", "server"]:
for record in records: for record in records:
make_log_plot(logs, "impl-cipher-ver", "cipher", side, "cpu", record, machine=machine) make_log_plot(logs, "impl-cipher-ver", "cipher", side, "cpu", record, machine=machine, version="1.3")
make_log_plot(logs, "impl-cipher-ver", "cipher", side, "energy", record, machine=machine) make_log_plot(logs, "impl-cipher-ver", "cipher", side, "energy", record, machine=machine, version="1.3")
make_log_plot(logs, "impl-cert-ver", "cert", side, "cpu", record, machine=machine) make_log_plot(logs, "impl-cert-ver", "cert", side, "cpu", record, machine=machine, version="1.3")
make_log_plot(logs, "impl-cert-ver", "cert", side, "energy", record, machine=machine) make_log_plot(logs, "impl-cert-ver", "cert", side, "energy", record, machine=machine, version="1.3")
make_log_plot(logs, "impl-kex-ver", "kex", side, "cpu", record, machine=machine) make_log_plot(logs, "impl-kex-ver", "kex", side, "cpu", record, machine=machine, version="1.3")
make_log_plot(logs, "impl-kex-ver", "kex", side, "energy", record, machine=machine) make_log_plot(logs, "impl-kex-ver", "kex", side, "energy", record, machine=machine, version="1.3")
make_log_plot(logs, "zrtt", "ed", side, "cpu", record, machine=machine) make_log_plot(logs, "zrtt", "ed", side, "cpu", record, machine=machine, version="1.3")
make_log_plot(logs, "zrtt", "ed", side, "energy", record, machine=machine) make_log_plot(logs, "zrtt", "ed", side, "energy", record, machine=machine, version="1.3")
elif cmd == "prof": elif cmd == "prof":
for side in ["client-local", "server-local"]: for side in ["client-local", "server-local"]:
for record in records: for record in records: