tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: TLS handshake performance
Date Fri, 19 May 2017 12:42:00 GMT
Hash: SHA256


On 5/18/17 9:47 AM, Mark Thomas wrote:
> On 18/05/2017 06:04, Christopher Schultz wrote: Mark,
> On 5/17/17 5:31 PM, Mark Thomas wrote:
>>>> I got asked in the corridor at TomcatCon earlier today what
>>>> the relative performance of the TLS handshake was with 8.5.x,
>>>> the NIO connector and JSSE vs OpenSSL TLS implementation.
> I'm curious about what exactly "TLS handshake" was intended to
> mean (by the person who asked the question) in this context.
>> They are using Tomcat in a scenario where clients are making
>> single requests (so keep alve doesn't help). Given that the
>> handshake uses asymmetric encryption which is more expensive that
>> symmetric encryption (which is why the handshake is used to
>> establish a shared secret so symmetric encryption can used for
>> the actual data) they wanted a sense of the performance benefit -
>> if any - of NIO and 8.5.x with OpenSSL vs NIO and 8.5.x with
>> JSSE.
> The handshake itself does not perform any bulk transfer of
> encrypted data, so the negotiated cipher suite does not matter.
> However...
>>>> Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z 
>>>> ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt
> Here the cipher suite matters very much, since the client is not
> only performing the TLS handshake but also transferring the
> client's request to the server and the server's response back to
> the client. > Support for a particular algorithm may dominate the
> benchmark, here.
>> Agreed. But it is the handshake that dominates the timings (if
>> you add -k to use keep-alive the req/sec are an order of
>> magnitude higher).

Right, but tat only tests one single handshake for many requests, when
they wanted to know the handshake improvement.

>> The cipher suite was the default one chosen by by one of the
>> configs (I forget which).
>> The cipher suite will affect the results since it also impacts
>> the enctrpyion used during the handshake but for any 'reaosnably'
>> secure cipher suite, I'd expect similar results in terms of the
>> relative performance.

The cipher suite chosen does not affect the performance of the
handshake at all, since the handshake is 100% asymmetric. That's why I
suggested using a NULL cipher if you want to test just the handshake.
Honestly, I would have made a TLS connection and then town it down had
I been asked the same questions.

But here it's clear that the client wants to know "do I get a
performance benefit swapping-out JSSE for OpenSSL. I think we all knew
what the answer was. Jean-Frederick's slides from yesterday I believe
include such benchmarks as well (NIO/OpenSSL vs NIO/JSSE vs APR/OpenSSL)

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message