tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: TLS handshake performance
Date Thu, 18 May 2017 07:05:06 GMT
2017-05-18 7:04 GMT+02:00 Christopher Schultz <chris@christopherschultz.net>
:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 5/17/17 5:31 PM, Mark Thomas wrote:
> > I got asked in the corridor at TomcatCon earlier today what the
> > relative performance of the TLS handshake was with 8.5.x, the NIO
> > connector and JSSE vs OpenSSL TLS implementation.
> I'm curious about what exactly "TLS handshake" was intended to mean
> (by the person who asked the question) in this context.
>
> The handshake itself does not perform any bulk transfer of encrypted
> data, so the negotiated cipher suite does not matter. However...
>
> > Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z
> > ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt
>
> Here the cipher suite matters very much, since the client is not only
> performing the TLS handshake but also transferring the client's
> request to the server and the server's response back to the client.
>
> Support for a particular algorithm may dominate the benchmark, here.
>

I only tested JSSE/OpenSSL with -k, and the actual encryption is
ridiculously fast compared to the handshake. So Mark's test gives new data
and, IMO, is a good "handshake performance" test where you are supposed to
negotiate a usable cipher.

Rémy

>
> What happens if you negotiate a NULL cipher for instance? Or, perform
> the TLS handshake but never make an HTTP request after connecting? I
> don't know of a tool that can do that out of the box (e.g. ab makes
> HTTP requests, not just TLS connections) but one could be written in
> Java fairly easily.
>
> > test.txt is a 3 byte text file.
> >
> > The results were: JSSE:    17 reqs/sec OpenSSL: 23 reqs/sec
> >
> > So around a 35% increase.
>
> I'd like to see a NULL or very low-overhead cipher under the same
> circumstances.
>
> > YMMV with different versions of TLS and associated ciphers, JREs,
> > OpenSSl versions etc.
>
> Noted. ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkdK1IACgkQHPApP6U8
> pFhfQw/+NGm1CNQcFZ2qVzlCZ36W+TXhaKaBcWeiSCKw60jf/utEFycONRldm5Q3
> cRM7Nbrfx1GcPwAs8ufedOtHgsAfzp6JkpzqwVFqZjUX1GODbJhz1vaNgQgB3mL8
> YlGBoLqQIRKvQNOcTYJx5bP+tbnqARu96uINH16rMT+GQUF9nIzk+ua7ec0Goe+e
> 6yO6euDrkV75uOMPArBWDDToSrQVZ9QKiliqlcYpnG2IPDMu1CGWDHZtwO1pxaLG
> aMbtqea9gAj42rw3NpFjUNxqYdN4EJHhCFjIIdVCAbiqs5BZQQAjcWjaRPniq45M
> ySsuBLNFqPj2sltlhZrdg7CEklvDbVvVgVIWZA21pw0wyfIofZnsiy+KsLo8q/wD
> gHcOF/TkQ4pAYGVoP+wh5AnQHwze2SFTJq0RE7kE0s6cohtfXeNSH/Ga6lzbJW5d
> B+vHpU8+U6X1Lpha8Hg0A1KxbP7hcANfdLTiRqZNIVMQES8p6Zh+fbIX+DlVYIFR
> WLFNmFADdlZ5msxHwRjfdQ8dtL6McwyvM3kmDQeADU/YzN80bhXmr8ZHJJUevTUJ
> cya5zcw5MmPrzdlavXhH0VKspbprPoJxrd9llRU0ra5aNfUmJ4xA79jD5VxQmNL/
> Cglw5DT8QoxG3knjZEQ8YLRj0gq0NrQXQmzowxqekfMcyNc2EGg=
> =+yjT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message