[jira] [Commented] (KAFKA-2561) Optionally support OpenSSL for SSL/TLS

Thu, 21 Jul 2016 14:12:02 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388432#comment-15388432
 ] 

Hendrik Saly commented on KAFKA-2561:
-------------------------------------

Here is a working draft: 
https://github.com/salyh/kafka/commit/9337c56df9b8387bf42f756faf5be08118259139

First sketch to make SslFactory ready for native OpenSSl support leveraging 
netty and netty tcnative.
Requires netty 4.0.30 (common, handler, buffer, codec) and tcnative 
fork-1.1.33.19 for the respective OS and of course OpenSSL installed (recent 
1.0.1 or better 1.0.2). Could not get the gradle dependency stuff to work so 
maybe one can add the required dependencies. 



> Optionally support OpenSSL for SSL/TLS 
> ---------------------------------------
>
>                 Key: KAFKA-2561
>                 URL: https://issues.apache.org/jira/browse/KAFKA-2561
>             Project: Kafka
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Ismael Juma
>
> JDK's `SSLEngine` is unfortunately a bit slow (KAFKA-2431 covers this in more 
> detail). We should consider supporting OpenSSL for SSL/TLS. Initial 
> experiments on my laptop show that it performs a lot better:
> {code}
> start.time, end.time, data.consumed.in.MB, MB.sec, data.consumed.in.nMsg, 
> nMsg.sec, config
> 2015-09-21 14:41:58:245, 2015-09-21 14:47:02:583, 28610.2295, 94.0081, 
> 30000000, 98574.6111, Java 8u60/server auth JDK 
> SSLEngine/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 2015-09-21 14:38:24:526, 2015-09-21 14:40:19:941, 28610.2295, 247.8900, 
> 30000000, 259931.5514, Java 8u60/server auth 
> OpenSslEngine/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 2015-09-21 14:49:03:062, 2015-09-21 14:50:27:764, 28610.2295, 337.7751, 
> 30000000, 354182.9000, Java 8u60/plaintext
> {code}
> Extracting the throughput figures:
> * JDK SSLEngine: 94 MB/s
> * OpenSSL SSLEngine: 247 MB/s
> * Plaintext: 337 MB/s (code from trunk, so no zero-copy due to KAFKA-2517)
> In order to get these figures, I used Netty's `OpenSslEngine` by hacking 
> `SSLFactory` to use Netty's `SslContextBuilder` and made a few changes to 
> `SSLTransportLayer` in order to workaround differences in behaviour between 
> `OpenSslEngine` and JDK's SSLEngine (filed 
> https://github.com/netty/netty/issues/4235 and 
> https://github.com/netty/netty/issues/4238 upstream).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to