tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS handshake performance
Date Thu, 18 May 2017 05:04:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/17/17 5:31 PM, Mark Thomas wrote:
> I got asked in the corridor at TomcatCon earlier today what the 
> relative performance of the TLS handshake was with 8.5.x, the NIO 
> connector and JSSE vs OpenSSL TLS implementation.
I'm curious about what exactly "TLS handshake" was intended to mean
(by the person who asked the question) in this context.

The handshake itself does not perform any bulk transfer of encrypted
data, so the negotiated cipher suite does not matter. However...

> Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z
> ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt

Here the cipher suite matters very much, since the client is not only
performing the TLS handshake but also transferring the client's
request to the server and the server's response back to the client.

Support for a particular algorithm may dominate the benchmark, here.

What happens if you negotiate a NULL cipher for instance? Or, perform
the TLS handshake but never make an HTTP request after connecting? I
don't know of a tool that can do that out of the box (e.g. ab makes
HTTP requests, not just TLS connections) but one could be written in
Java fairly easily.

> test.txt is a 3 byte text file.
> 
> The results were: JSSE:    17 reqs/sec OpenSSL: 23 reqs/sec
> 
> So around a 35% increase.

I'd like to see a NULL or very low-overhead cipher under the same
circumstances.

> YMMV with different versions of TLS and associated ciphers, JREs, 
> OpenSSl versions etc.

Noted. ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkdK1IACgkQHPApP6U8
pFhfQw/+NGm1CNQcFZ2qVzlCZ36W+TXhaKaBcWeiSCKw60jf/utEFycONRldm5Q3
cRM7Nbrfx1GcPwAs8ufedOtHgsAfzp6JkpzqwVFqZjUX1GODbJhz1vaNgQgB3mL8
YlGBoLqQIRKvQNOcTYJx5bP+tbnqARu96uINH16rMT+GQUF9nIzk+ua7ec0Goe+e
6yO6euDrkV75uOMPArBWDDToSrQVZ9QKiliqlcYpnG2IPDMu1CGWDHZtwO1pxaLG
aMbtqea9gAj42rw3NpFjUNxqYdN4EJHhCFjIIdVCAbiqs5BZQQAjcWjaRPniq45M
ySsuBLNFqPj2sltlhZrdg7CEklvDbVvVgVIWZA21pw0wyfIofZnsiy+KsLo8q/wD
gHcOF/TkQ4pAYGVoP+wh5AnQHwze2SFTJq0RE7kE0s6cohtfXeNSH/Ga6lzbJW5d
B+vHpU8+U6X1Lpha8Hg0A1KxbP7hcANfdLTiRqZNIVMQES8p6Zh+fbIX+DlVYIFR
WLFNmFADdlZ5msxHwRjfdQ8dtL6McwyvM3kmDQeADU/YzN80bhXmr8ZHJJUevTUJ
cya5zcw5MmPrzdlavXhH0VKspbprPoJxrd9llRU0ra5aNfUmJ4xA79jD5VxQmNL/
Cglw5DT8QoxG3knjZEQ8YLRj0gq0NrQXQmzowxqekfMcyNc2EGg=
=+yjT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message