tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS handshake performance
Date Fri, 19 May 2017 12:42:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/18/17 9:47 AM, Mark Thomas wrote:
> On 18/05/2017 06:04, Christopher Schultz wrote: Mark,
> 
> On 5/17/17 5:31 PM, Mark Thomas wrote:
>>>> I got asked in the corridor at TomcatCon earlier today what
>>>> the relative performance of the TLS handshake was with 8.5.x,
>>>> the NIO connector and JSSE vs OpenSSL TLS implementation.
> I'm curious about what exactly "TLS handshake" was intended to
> mean (by the person who asked the question) in this context.
> 
>> They are using Tomcat in a scenario where clients are making
>> single requests (so keep alve doesn't help). Given that the
>> handshake uses asymmetric encryption which is more expensive that
>> symmetric encryption (which is why the handshake is used to
>> establish a shared secret so symmetric encryption can used for
>> the actual data) they wanted a sense of the performance benefit -
>> if any - of NIO and 8.5.x with OpenSSL vs NIO and 8.5.x with
>> JSSE.
> 
> The handshake itself does not perform any bulk transfer of
> encrypted data, so the negotiated cipher suite does not matter.
> However...
> 
>>>> Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z 
>>>> ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt
> 
> Here the cipher suite matters very much, since the client is not
> only performing the TLS handshake but also transferring the
> client's request to the server and the server's response back to
> the client. > Support for a particular algorithm may dominate the
> benchmark, here.
> 
>> Agreed. But it is the handshake that dominates the timings (if
>> you add -k to use keep-alive the req/sec are an order of
>> magnitude higher).

Right, but tat only tests one single handshake for many requests, when
they wanted to know the handshake improvement.

>> The cipher suite was the default one chosen by by one of the
>> configs (I forget which).
> 
>> The cipher suite will affect the results since it also impacts
>> the enctrpyion used during the handshake but for any 'reaosnably'
>> secure cipher suite, I'd expect similar results in terms of the
>> relative performance.

The cipher suite chosen does not affect the performance of the
handshake at all, since the handshake is 100% asymmetric. That's why I
suggested using a NULL cipher if you want to test just the handshake.
Honestly, I would have made a TLS connection and then town it down had
I been asked the same questions.

But here it's clear that the client wants to know "do I get a
performance benefit swapping-out JSSE for OpenSSL. I think we all knew
what the answer was. Jean-Frederick's slides from yesterday I believe
include such benchmarks as well (NIO/OpenSSL vs NIO/JSSE vs APR/OpenSSL)
.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlke6BUACgkQHPApP6U8
pFgx4BAAw1VDMee6M9B2BqcNnXgFTvq4ReVJNBJaXQiNWSPk+GAQD1bR9gB2/gxO
6/kKaOLEqeFrl54qCo1hHAgEtZXdVV8/Bhx1KwxVSmN5qV1ox4uuul4P5KMMX/xY
Eay1o1mwbee5ayZP3DVcwy8kVwpGAAnrmlSzxTz4LEJVRJAnAjoxx6RV3hGSWFZs
S5HAyCswz8mBQq8DobUr7BG3GmT2KbXL0QKNR28cwrIRXlMnINzXnkcwT0HjpFiE
Zb3fIm6KmDdedtgs8PsCUo6BR13e3y2td2ont4YBz7HC1g9OeYt/3sAPC4rdeBlY
pTFqwvnFA81+9UXIOs+5DSAtn/z7zNYolqshR815+s5Kp1B4UE+oSWeERc4cTZQU
yKd2nFx4dE+6aZKlCjFeb5cs4OmJTShX7aRXXSNFTmixd3HSvj0Xa0NZ9kVwzkji
SpMExUJ5dEyRrVaYbfEhORs6BGeXgnF/ueKvW5VPfs4ZCswD/MWfrxAxMkT8BdHn
7+hkX3J0zWxJoWf6aC3HrjyPXz3ia06+7xpIelJ8vfmHf5X06i1KEv1yo1rG05/4
UnPsxCV1G1xD9Y5qlU+Md6vmLCJ0OBH1+hSlQT4Ib7WHdy6oVQbgSP8cfBLGJR0J
+FlzeuXlu54GnYRDd0CSIPc/CEOpcSxesW+jGk+ru6G+Dull5hw=
=7/Wz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message