Ssl – Poor SSL performance with vsftpd

ftpmulti-threadingopensslsslvsftpd

I'm trying to tweak vsftpd to achieve maximum performance for my usage:

I have only one or two clients that connect to the server.
File size is between ~15MB and 1GB.
Typical transfer batch represent between 1 and 2GB of data.

For testing purposes, I'm using a tmpfs on both sides (thus eliminating any disks bottleneck) with a single 1GB file.

When SSL is disabled, performance is good, with a transfer rate at ~120MB/s (reaching the limits of gigabit networking).

With SSL enabled only for control traffic (and not data traffic), performance drops at about 112MB/s, which is still within the acceptable limits.

However, when SSL is enabled for data flows, the transfer speed drops dramatically:

6.7MB/s using 3DES & SHA (ssl_ciphers=DES-CBC3-SHA in vsftpd.conf)
16MB/s using DES & SHA (ssl_ciphers=DES-CBC-SHA)

I didn't tested other ciphers, but from what I can see from the CPU usage during the transfer, it seems that vsftpd is only using a single cpu/core per client. While this can fit for large ftp sites with hundreds of clients, I'd like to avoid this behavior and use more ressources on the server.

On a side note, if you have any ideas regarding other openssl ciphers…

Best Answer

I just read http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ which suggests to run openssl speed. Depending on the results, you might want to pick another algorithm. Sadly, I have no idea how to spread the load of one encryption task to several cores.

Related Solutions

VSFTPD – Configure Implicit SSL on Debian

Clearly you'll need to set implicit_ssl=YES in the config file to get anywhere.

But when you do, you can't start the server, of course. So the first thing to do is look at the server's logs, in /var/log/vsftpd.log (or, possibly, the messages went to /var/log/user.log or /var/log/messages, but that's unlikely).

Without seeing that, I can't possibly tell you what the problem actually is, but as a wild guess, I'd say there's a decent chance it's failing to find its server SSL certificate. Other possible contenders for the problem include permission problems, SELinux failures (if you have that enabled), or vsftpd just plain not liking the set of configuration options you gave it - it can be very picky that way, so as to keep you from accidentally leaving it configured in an insecure state. Or there's no lack of other possibilities - that's why you need the logs.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Related Topic