tlsbench/README.md

# TLS 

### WolfSSL

```bash
git clone https://github.com/wolfSSL/wolfssl --depth 1
cd wolfssl
sh autogen.sh
./configure --enable-all --enable-all-crypto --disable-shared --prefix=/opt/wolfssl-rs/
make
sudo make install
```

## Reproduce

### Record

On the controler machine.

#### Installation

Build netreplay and copy it in this folder.

Authorize netreplay to bind to ports 80 and 443:
```bash
sudo setcap CAP_NET_BIND_SERVICE=+eip netreplay
```

Open Firefox with a dedicated profile: (create the profile using the GUI if it doesn't exist)

```bash
firefox -P tlsbench
```

In settings, disable DNS security.

In `about:config`, set `network.dns.forceResolve` to `127.0.0.1`.

Run the shell command:

```bash
python exp.py make debug -c
```

In Firefox, go to security settings, Certificates, import `/dev/shm/exp/certs/prime256v1/ca.crt` and trust it for identifying websites.

#### After installation

Stop anything running on ports 80 or 443.

Start the record proxy:

```bash
./netreplay records/mynewrecord record
```

Just browse. Any traffic will be recorded. Terminate netplayer with CTRL+C when finished.

### Measure

Copy the tlsbench folder on the target.
Build netreplay with the wanted cryptographic backends on the target (one build per backend), and place each version in tlsbench, named `netreplay-aws-lc`, `netreplay-boring`, etc.

Install dependencies on the target:

```bash
sudo apt install acct dtach
sudo chmod +s /sbin/sa
```

Modify experiment parameters at the top of `exp.py` to suit your setup and the wanted experiments.

Run:

```bash
python exp.py make pi3 -c
python exp.py send pi3
python exp.py run pi3 --idle
```

It may be needed to keep an SSH connection to the target open during the experiment, and to set `RemoveIPC=no` in `/etc/systemd/logind.conf` (then `systemctl restart systemd-logind`).

### Profile

Profile code execution on the local machine.

Install sa:

```bash
sudo apt install acct dtach python3-invoke python3-fabric
sudo chmod +s /sbin/sa
```

Install OpenSSL with debug symbols:

```bash
# Options from Debian build
# Debian package libssl3t64 -> Developer Information -> buildd reproducibility -> trixie rbuild
# https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/openssl.html
/usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-tfo enable-zstd enable-zlib enable-fips enable-ec_nistp_64_gcc_128
# Or, if OpenSSL 1.1:
/usr/bin/perl ./Configure --release -g --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/x86_64-linux-gnu shared no-idea no-mdc2 no-rc5 no-ssl3 no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand enable-zlib enable-ec_nistp_64_gcc_128 linux-x86_64
```

To build netreplay with this openssl:

```bash
OPENSSL_LIB_DIR=/home/pi/reps/openssl-openssl-3.6.1/ OPENSSL_DIR=/home/pi/reps/openssl-openssl-3.6.1/ cargo build --release
```

Authorize non-root users to use perf:

```bash
sudo sysctl kernel.perf_event_paranoid=-1
```

Run:

```bash
python exp.py make local -c
python exp.py run local
python plots.py prof <path/to/log>
```

### RAPL

```bash
gcc -O3 powercap.c -o powercap
sudo chown root powercap
sudo chmod u+s powercap
```

### Grid5000

```bash
ssh nancy.g5k
oarsub -q default -l host=2,walltime=2 -p "wattmeter=YES" -I
# Check the name of the other node in https://intranet.grid5000.fr/oar/Lyon/drawgantt-svg/
# Let's call them p1 and p2
ping p2
# Note p2 addr to exp.py
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
pip3 install fabric
python exp.py make g5k -c
python exp.py send g5k

# Notes
scp /lib/x86_64-linux-gnu/libssl.so.3.6 nancy.g5k:~/
scp /lib/x86_64-linux-gnu/libcrypto.so.3.6 nancy.g5k:~/
scp records/wikipedia nancy.g5k:tlsbench/records/
```

#### Wattmetre

API timestamp at Paris time.

https://api.grid5000.fr/stable/sites/nancy/metrics?nodes=gros-69&metrics=bmc_node_power_watt&start_time=2026-02-26T14:00&end_time=2026-02-26T14:40