tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Wall" <>
Subject Re: Apache/Tomcat/SSL vs. Tomcat/SSL
Date Wed, 04 Feb 2004 21:53:54 GMT
> My thought is that since Apache is written in C it may be more efficient =
> to have Apache handle the SSL.  However, I am not sure if the overhead =
> of the connector would negate any performance benefits gained from =
> having Apache handle the SSL rather than Tomcat.  If performance is the =
> same or only marginally better with Apache then I am not sure if the =
> added complexity of having Apache in the equation is warranted.  I have =
> not benchmarked to see if there is actually a performance difference.  =
> Does anyone have an opinion on this or any benchmarks they could share?

Great question.  I've got the same consideration, but without a way to drive
lots of SSL transactions from lots of different clients, it's hard to know.
SSL has a lot of overhead in setup, but there's some SSL persistence that
gives you a benefit for frequent requests that avoid the re-negotations.
But I know that consumes memory, so there's no doubt issues related to the
number of different concurrent clients using SSL at the same time.

Also, OpenSSL (why it's never reached the 1.0 level I can't say since it's
been in production for many years!) is probably more mature than the JSSE.
And while C code would surely be faster, the server VMs supposedly do a
great job on code that's constantly executed as would be the case for the
SSL java code.  And surely there are real costs associated with the memory
and thread/process overhead of running HTTPD on the same computer.  Of
course, there are some security advantages if the HTTPD runs on one machine
with a public IP addr and TOMCAT on an other server using a private IP addr.

And the Apache http engine is certainly more mature than Tomcat's, but I
don't have any benchmarks or other info to tell me if it's really that much
faster, or if either is more secure (after all, Java typically is less
vulerable than C code).

We're creating an office edition of our flagship Signed & Secured enterprise
software, and we're trying to simplify systems dramatically, so we'd like to
get rid of Apache just for the simplicity of it all.  We're even going to
buck the "no user threads" warning for servlet containers since Tomcat
allows them and it will make our system even simpler by removing the need
for a couple of standalone Java applications and a few batch java

I hope others can comment on real stats they've seen.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message