Yeah, that's why I mentioned it with a caveat :) Someone (I can't recall who, but it was someone I consider reasonably knowledgable as I actually gave it some weight) mentioned it, but I haven't looked into it further than that. I agree that I don't see how this is going to help us at the app layer.
-Todd On Tuesday, September 6, 2016, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Todd, > > Thanks for sharing your experience enabling TLS in your clusters. Very > helpful. One comment below. > > On Sun, Sep 4, 2016 at 6:28 PM, Todd Palino <tpal...@gmail.com > <javascript:;>> wrote: > > > > Right now, we're specifically avoiding moving consume traffic to SSL, due > > to the zero copy send issue. Now I've been told (but I have not > > investigated) that OpenSSL can solve this. It would probably be a good > use > > of time to look into that further. > > > > As far as I know, OpenSSL can reduce the TLS overhead, but we will still > lose the zero-copy optimisation. There is some attempts at making it > possible to retain zero-copy with TLS in the kernel[1][2], but it's > probably too early for us to consider that for Kafka. > > Ismael > > [1] https://lwn.net/Articles/666509/ > [2] > http://techblog.netflix.com/2016/08/protecting-netflix- > viewing-privacy-at.html > -- *Todd Palino* Staff Site Reliability Engineer Data Infrastructure Streaming linkedin.com/in/toddpalino