Wei-Chiu Chuang created HDDS-11604:
--------------------------------------
Summary: Use OpenSSL TLS encryption provider to speed up gRPC TLS
encryption
Key: HDDS-11604
URL: https://issues.apache.org/jira/browse/HDDS-11604
Project: Apache Ozone
Issue Type: Bug
Reporter: Wei-Chiu Chuang
According to
https://netty.io/wiki/requirements-for-4.x.html#benefits-of-using-openssl and
https://netty.io/wiki/forked-tomcat-native.html
we should rely on OpenSSL (default is JDK) to speed up encryption performance.
We already have etty-tcnative-boringssl-static in the classpath and the missing
piece is to use OpenSSL provider in the code.
{code}
SslContext sslContext =
SslContextBuilder.forServer(certificate, privateKey)
.sslProvider(SslProvider.OPENSSL)
{code}
OpenSSL is said to be 3x faster than the default JDK SSL provider.
https://www.ververica.com/blog/how-openssl-in-ververica-platform-improves-your-flink-job-performance
Apache Flink reports up to 210% improvement after switching to OpenSSL TLS
encryption provider.
Ideally if we can make the encryption overhead negligible, then we could simply
make grpc encryption the default, simplify the configurations.
actually openssl code is already in Ozone.
I see that it is used in OM grpc server, DataNode xceiver server, container
replication server, SCM client/server.
But it's not applied to xciever client, OM grpc client, container replication
client, and looks like ratis netty doesn't use it (grpc grpc has it though)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
