[jira] [Commented] (KAFKA-2561) Optionally support OpenSSL for SSL/TLS

Mon, 30 Oct 2017 04:54:33 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16224784#comment-16224784
 ] 

jaikiran pai commented on KAFKA-2561:
-------------------------------------

I just came across this JIRA, so I thought I will update it with my own recent 
experiments with OpenSSL (Java 8) and Kafka. For those interested, I got some 
performance numbers OpenSSL (backed by WildFly OpenSSL Java bindings) and have 
detailed them in my blog[1]. Later this week, I plan to rerun the same thing 
with Java 9 and see how it performs.

[1] https://jaitechwriteups.blogspot.com/2017/10/kafka-with-openssl.html


> Optionally support OpenSSL for SSL/TLS 
> ---------------------------------------
>
>                 Key: KAFKA-2561
>                 URL: https://issues.apache.org/jira/browse/KAFKA-2561
>             Project: Kafka
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Ismael Juma
>
> JDK's `SSLEngine` is unfortunately a bit slow (KAFKA-2431 covers this in more 
> detail). We should consider supporting OpenSSL for SSL/TLS. Initial 
> experiments on my laptop show that it performs a lot better:
> {code}
> start.time, end.time, data.consumed.in.MB, MB.sec, data.consumed.in.nMsg, 
> nMsg.sec, config
> 2015-09-21 14:41:58:245, 2015-09-21 14:47:02:583, 28610.2295, 94.0081, 
> 30000000, 98574.6111, Java 8u60/server auth JDK 
> SSLEngine/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 2015-09-21 14:38:24:526, 2015-09-21 14:40:19:941, 28610.2295, 247.8900, 
> 30000000, 259931.5514, Java 8u60/server auth 
> OpenSslEngine/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 2015-09-21 14:49:03:062, 2015-09-21 14:50:27:764, 28610.2295, 337.7751, 
> 30000000, 354182.9000, Java 8u60/plaintext
> {code}
> Extracting the throughput figures:
> * JDK SSLEngine: 94 MB/s
> * OpenSSL SSLEngine: 247 MB/s
> * Plaintext: 337 MB/s (code from trunk, so no zero-copy due to KAFKA-2517)
> In order to get these figures, I used Netty's `OpenSslEngine` by hacking 
> `SSLFactory` to use Netty's `SslContextBuilder` and made a few changes to 
> `SSLTransportLayer` in order to workaround differences in behaviour between 
> `OpenSslEngine` and JDK's SSLEngine (filed 
> https://github.com/netty/netty/issues/4235 and 
> https://github.com/netty/netty/issues/4238 upstream).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to