14. Performance tuning

If connections time out because of slow network, you can raise the timeout with SetConnectionTimeout= seconds (the default is 900 seconds).

Even without tweaking, the server can probably handle some 100 connections per second on a 500Mhz i686. Depending on the verbosity of the logging that you wish, this should suffice even for some thousand clients.

Almost all time is spent (i) in the HMAC function that computes the message signatures, and (ii) if you do not have the gmp (GNU MP) multiple precision library, in the multiple precision arithmetic library (for SRP authentication).

The reason for (ii) is that samhain / yule will use a simple, portable, but not very efficient MP library that is included in the source code, if gmp is not present on your system.

To improve performance, you can:

  • install gmp, remove the file config.cache in the source directory (if you have run configure before), and then run configure and make again. The configure script should automatically detect the gmp library and link against it.

  • use a simple keyed hash (HASH-TIGER), which will compute signatures as HASH(message key) instead of the HMAC (HMAC-TIGER). This will save two of the three hash computations required for a HMAC signature.

    [Warning]CAVEAT

    Make sure you use the same signature type on server and client !

    	      [Misc] 
    	      # 
    	      # use simple keyed hash for message signatures 
    	      # Make sure you set this both for client and server 
    	      #
                  MACType=HASH-TIGER
    	    
  • build a static binary (use the --enable-static switch for configure). Static binaries are faster, and also more secure, because they cannot be subverted via libraries they depend upon. (However, if there is a bug in one of the compiled-in libraries, you'd need to re-compile a static executable after an update of the library).

    [Note]Note

    Some functionality may not be available with static binaries, in particular some name services (NIS, LDAP), the portmap service (used for the port check), and the support for the Linux audit daemon and SQL databases. On some operating systems (e.g. Solaris) static compiling may not be possible at all.

  • change the compiler switches to optimize more aggressively.

  • if on a commercial UNIX, check whether the native compiler produces faster code than gcc (you need an ANSI C compiler). The configure script honours CC (compiler) and CFLAGS environment variables.