Author: Fuyi
introduction
With the popularization of Internet security standards, the use of HTTPS technology for communication encryption to achieve trusted access to websites and APPs has become a recognized security standard. This article will introduce the concerns of stress testing for the HTTPS protocol, as well as the technical advantages and best practices of using PTS for HTTPS stress testing.
There are three scenarios in which stress testing is required in common websites or APPs:
- Before launching a newly developed system or function, it is necessary to understand its performance level.
- Perform technical tuning of the system, and compare the performance before and after system expansion through stress testing.
- Perform a performance evaluation of the system before participating in a platform event.
What is HTTPS
The full English name of HTTPS is: Hyper Text Transfer Protocol over Secure Socket Layer, which is a secure HTTP channel. As can be seen from the full name, it is not actually a new application layer protocol, but the HTTP protocol replaces TCP with SSL for the communication interface. In the HTTP protocol, the application layer HTTP communicates directly with the transport layer TCP. In the HTTPS protocol, the application layer HTTP communicates with SSL, and SSL communicates with the transport layer TCP, as shown in the figure:
HTTPS is encrypted through the SSL layer, which can prevent the website from being tampered with and hijacked. Let's take a brief look at how HTTPS is encrypted and decrypted:
First, the client and server will negotiate the encryption algorithm and protocol version. After the negotiation, the server sends the public key to the client. After the client gets the public key, it generates a random password string (Pre-master secret), and encrypts it with the public key and returns it to the server. After the server decrypts the ciphertext with the private key, it obtains the random cipher string (Pre-master secret), and then generates a symmetric encryption key through the negotiated random number and encryption algorithm. At this point, both parties have obtained the same key, which is then used to implement symmetric encryption and decryption.
We know that symmetric encryption has better performance, but as long as the key is held, the hijacked ciphertext can be decrypted, which cannot solve the problem of hijacking. Asymmetric encryption is relatively more secure, but at the same time, the performance overhead of encryption and decryption is large. It can be seen that HTTPS uses asymmetric encryption in the handshake phase and symmetric encryption in subsequent communications, which not only ensures security, but also maximizes performance.
Concerns of HTTPS stress testing
SSL handshake policy
HTTPS has an encryption and decryption process in the handshake phase, so it consumes more computing resources than HTTP. In order to simulate a large number of user execution requests, the stress test engine often reuses TCP connection and SSL handshake information in the global or thread dimension. This improves the performance of the presser, but for scenarios where you want to simulate different client behaviors per cycle, the presser only simulates enough traffic pressure and not enough SSL handshake calculation pressure, which may cause a stress simulation Inaccurate problems, as shown in the following figure:
Therefore, in the HTTPS stress test, it is necessary to specify whether to reset the SSL handshake state in each cycle according to the specific business logic of the stress test scenario, so as to accurately simulate the SSL handshake calculation pressure.
SSL protocol version
HTTPS stress test, the first step in the SSL handshake between the client (pressor) and the server, the client will inform the server of the highest SSL protocol version it supports, and then the server will get the version supported by itself and the client from the server. In the intersection, take the highest version as the actually used SSL version.
During stress testing, the mainstream version of the real client needs to be evaluated and configured on the stressing engine. Avoid inaccurate simulation of SSL handshake calculation pressure due to different SSL versions.
Why PTS—The advantages of PTS for HTTPS stress testing
Open source stress testing tools such as JMeter, Gatling, and K6 support HTTPS to varying degrees. JMeter [ 1] supports configuring whether the loop resets the SSL handshake state, and supports configuring the client SSL protocol version, but does not support the HTTP2 protocol by default. Gatling [2 ] defaults to each virtual user sharing the SSL context and does not support the control loop to reset the SSL handshake state. K6 [3 ] currently only supports setting the SSL protocol version.
As a pressure measurement tool on the cloud, PTS supports the following HTTPS-related features:
- Support HTTP2
Compared with HTTP1.1, the performance of HTTP2 is greatly improved, and all mainstream browsers already support the HTTP2 protocol. To simulate a real client, it is recommended to use the HTTP2 protocol. - Support to set SSL handshake policy Support to configure whether to reset the SSL handshake state in a loop, you can choose whether to reset it according to the business scenario.
- Support specifying SSL protocol version
Using the PTS stress test can more realistically simulate the HTTPS stress initiated by the client, making the stress test results more credible.
How to—How to use PTS for HTTPS stress testing
Set SSL handshake policy
For the HTTPS stress test, you need to choose whether to reset the SSL connection status each time the serial link loops. If you choose to reset, the SSL state will be re-initialized each time the serial link is executed in a loop, which can more accurately simulate the stress test scenarios that represent different users in each loop, and will bring a certain performance overhead to the stressor.
scenes to be used
- Scenario 1: HTTPS stress test, I want to simulate 100 users to log in, and keep these 100 users repeatedly accessing the system. At this time, the serial link is executed every time in a loop, simulating the behavior of the same virtual user. This switch should be set to "No", then set the concurrency to 100.
- Scenario 2: HTTPS stress test. It is hoped that within 5 minutes, 100 different users will access the system at every moment. At this time, the serial link is executed every time, simulating the behavior of different virtual users. In order to ensure the authenticity of the pressure simulation, this switch should be set to "Yes", and then set the number of concurrency to 100. At the same time, because the press has extra performance overhead after this switch is turned on, it is recommended to expand the IP number of the press.
Set SSL protocol version
Here are some common browsers' support for SSL versions for your reference:
It can be seen that mainstream browsers support TLSv1.3 around 2018~2020. Therefore, if the client simulated in your stress testing scenario is relatively new, it is recommended that you choose TLSv1.3 as the SSL version; on the contrary, if your stress testing scenario needs to simulate an older version of the browser client, it is recommended that you select TLSv1.2 as the SSL version. SSL version.
How to Record HTTPS Traffic
Each stress testing tool provides a proxy-based traffic recording tool, which is convenient for recording client traffic and quickly building stress testing scripts. For HTTPS protocol recording, in addition to configuring the proxy, a trust certificate is also required, which is more complicated.
PTS provides a certificate-free recording solution: a browser plug-in, which supports fast recording of HTTPS traffic, decrypts and converts it into a PTS stress test scenario, and supports exporting as a JMeter script. Welcome to download [4 ] for use. For detailed operations, please refer to the document [5 ] ] .
At the same time, for mobile traffic recording, PTS provides two solutions: cloud real device and local device. The cloud real machine has preset PTS proxy configuration, which supports operating the mobile phone in the browser and recording traffic without configuring proxy and certificate. For detailed operation, please refer to the document [6 ] .
Summarize
In summary, this article mainly expounds:
- What is HTTPS
- Points to note in HTTPS stress testing
- How to use PTS for HTTPS stress testing
For more communication, welcome to the DingTalk group to communicate, PTS user communication group number: 11774967
At the same time, the new sales method of PTS is coming, and the price of the basic version will drop by 50%! The price of one million concurrent transactions is only 6200! There are also 0.99 trial version for new users and VPC stress test exclusive version, welcome to buy!
Reference documentation
[1] JMeter (official documentation):
[2] Gatling (official documentation):
https://gatling.io/docs/gatling/reference/current/http/ssl/
[3] K6:
https://k6.io/docs/using-k6/options/#tls-version
[4] Download (PTS HTTPS Recorder Plugin):
[5] Documentation (PTS recorder usage documentation - Chrome browser scenario):
https://help.aliyun.com/document_detail/187749.html
[6] Document (PTS recorder usage document - Android mobile phone scene):
https://help.aliyun.com/document_detail/72519.html
[7] PTS HTTPS settings document:
https://help.aliyun.com/document_detail/143194.html
Click here to go to the Performance Test PTS official website page to learn more!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。