How to test HTTPS overhead compared to HTTP?
Hi,
We are in the process of launching our site. it is currently designed with several non-secure pages, and we are only securing the login page and some other pages.
Since we are using a Load Balancer to offload the SSL to the backend Apache servers, we are having some issues with which pages need to be in SSL and which do not, it's quite a mess that we don't really have the time to solve.
I suggested just doing the whole thing in https, but we really have to investigate the possible added overhead if we take this approach.
I've been reading around, and I know now that slowness in https is not a fact, it heavily depends on what you are trying to serve. since our application is highly database centric, one could argue that the ssl overhead would be negligible.
I'm trying to get some actual results from testing, what I've done first is set up Jmeter to make a request to the same page in http and https. the results were identical, other than a "warmup" first request that was slower in https.
I don't think my test is meaningful, because:
a. I just realized that the first request was slow because of the SSL handshake, and all the following requests did not have to do the handshake again.
[EDIT: I just found a way to resolve that. unchecked "use keep-alive" in Jmeter, so each request makes its own SSL handshake, as far as I can see in the sniff]
b. Jmeter does not simulate the browser processing time for SSL.
Can anyone recommend another proper way of testing this?
obviously I can do it one at a time with my browser... but I would like to get some proper statistics instead of one refresh at a time
thanks
We are in the process of launching our site. it is currently designed with several non-secure pages, and we are only securing the login page and some other pages.
Since we are using a Load Balancer to offload the SSL to the backend Apache servers, we are having some issues with which pages need to be in SSL and which do not, it's quite a mess that we don't really have the time to solve.
I suggested just doing the whole thing in https, but we really have to investigate the possible added overhead if we take this approach.
I've been reading around, and I know now that slowness in https is not a fact, it heavily depends on what you are trying to serve. since our application is highly database centric, one could argue that the ssl overhead would be negligible.
I'm trying to get some actual results from testing, what I've done first is set up Jmeter to make a request to the same page in http and https. the results were identical, other than a "warmup" first request that was slower in https.
I don't think my test is meaningful, because:
a. I just realized that the first request was slow because of the SSL handshake, and all the following requests did not have to do the handshake again.
[EDIT: I just found a way to resolve that. unchecked "use keep-alive" in Jmeter, so each request makes its own SSL handshake, as far as I can see in the sniff]
b. Jmeter does not simulate the browser processing time for SSL.
Can anyone recommend another proper way of testing this?
obviously I can do it one at a time with my browser... but I would like to get some proper statistics instead of one refresh at a time
thanks
hankknight
Do you have access to a Linux command line?
ASKER
Yes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, but does also does not solve my second limitation - not taking into consideration the actual browser processing time for SSL. it seems that downloading command is more or less like what I was doing with Jmeter.
and.. really? testing performance with only a seconds resolution and not miliseconds?? :D
and.. really? testing performance with only a seconds resolution and not miliseconds?? :D
Do you have a large amount of visitors/very heavy usage that this would be a cause for concern? SSL on every page seems to be common now. This thread (including the answers not chosen) is worth a read https://www.experts-exchange.com/questions/28236294/Force-HTTPS-or-HTTP-for-specific-files-in-htaccess.html