Grant Henke created KUDU-3133:
---------------------------------
Summary: Poor TLS cypher performance on Java 8
Key: KUDU-3133
URL: https://issues.apache.org/jira/browse/KUDU-3133
Project: Kudu
Issue Type: Bug
Components: security
Reporter: Grant Henke
It was reported a while back that Kudu TLS doesn't perform well on Java 8 due
to a potential GCM cypher bug or bad selection via `PREFERRED_CIPHER_SUITES`.
It would be good to get to the bottom of this and fix it or document the
recommendation to use Java 11.
Here was the observed impact:
{code}
./bin/ycsb run kudu -P workloads/workloadc -p operationcount=100000000 -threads
64 -p kudu_num_clients=16 -s -p fieldlength=10000 -p kudu_table_num_replicas=1
java 7u75 with master:
0205 11:18:48.647920 (+ 28us) server_negotiation.cc:581] Negotiated TLSv1
with cipher AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
~12k rows/sec
java 8_141 with master:
0205 11:17:45.977107 (+ 31us) server_negotiation.cc:581] Negotiated
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
6k rows/sec
java 8_141 with GCM-based codecs removed from Negotiator.java
0205 11:25:33.268689 (+ 40us) server_negotiation.cc:581] Negotiated
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256)
Mac=SHA384
~6k rows/sec
java 8_141 with only AES256-SHA remaining in Negotiator.java:
"TLS_RSA_WITH_AES_256_CBC_SHA" )
0205 11:32:07.674860 (+ 44us) server_negotiation.cc:581] Negotiated TLSv1.2
with cipher AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
~9.5k rows/sec
java 11 with master:
0205 11:17:01.416066 (+ 41us) server_negotiation.cc:581] Negotiated
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
~19k rows/sec
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
