[kudu-CR] [security] add --rpc tls ciphers flag

Fri, 17 Feb 2017 10:15:14 -0800 

Dan Burkert has posted comments on this change.

Change subject: [security] add --rpc_tls_ciphers flag
......................................................................


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/6055/3/src/kudu/security/tls_context.cc
File src/kudu/security/tls_context.cc:

PS3, Line 50: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
> hrm, I think it would raise questions if we were picking ciphers outside of
I'm pretty skeptical of those numbers, here are the encryption numbers from my 
laptop:

    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes  16384 bytes
    aes-128-cbc     643106.19k   683280.21k   703700.39k   702423.04k   
712150.56k   707157.39k
    aes-128-gcm     330193.86k   951480.49k  2003191.55k  2652187.99k  
3129726.29k  3192000.55k
    aes-256-cbc     477106.75k   510741.21k   508344.81k   509004.71k   
512925.34k   520552.45k
    aes-256-gcm     279500.94k   822205.27k  1713151.83k  2140991.49k  
2425880.58k  2452002.13k
    chacha20        299627.95k   540442.92k  1245685.93k  2535442.09k  
2670359.89k  2651657.56k

And the decryption numbers:

    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes  16384 bytes
    aes-128-cbc     536751.16k  1787907.30k  3453032.11k  4607014.91k  
4943496.65k  4823893.45k
    aes-128-gcm     324921.39k  1022426.61k  1912897.28k  2757657.94k  
3103989.76k  3124989.45k
    aes-256-cbc     416240.51k  1499861.23k  2914802.86k  3296780.67k  
3521424.04k  3576315.90k
    aes-256-gcm     265438.54k   853966.95k  1587047.85k  2101618.56k  
2344259.98k  2259233.05k
    chacha20        289066.59k   505240.64k  1105843.80k  2466917.38k  
2621012.71k  2613182.46k


The AES results are with AES-NI, since I ran the test with the -evp flag.  
Without -evp, AES was ~2.5x slower.

That being said, the Mozilla modern list *does* list AES256-GCM-SHA384 above 
the ChaCha ciphers, so I'm not sure what to make of that.  All in all, though 
given that the 'advantage' of AES-NI is small or non-existent in GCM mode, and 
worse in CBC mode, I'd prefer to stick to the list verbatim.


-- 
To view, visit http://gerrit.cloudera.org:8080/6055
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I050e2295041a98fe2c3118c6258b910423bd3816
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <[email protected]>
Gerrit-HasComments: Yes

Reply via email to