On Sunday 16 January 2011 10:09:56 pm Jason Pell wrote: > Hi, > > As soon as I enable SSL and execute my soapui test suite I get cpu to > %95. I have profiled the application and can see that this is caused > by the > > com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite > (further down in the stack BigInteger is responsible for most of the > CPU). > > I have configured the following server config: > > <sec:cipherSuitesFilter> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:include>.*_128_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > > > I am using the self signed cert provided in CXF examples, but I am not > using a trust store on the server side. > > Does the SSL setup take a while to warm up in a JVM? Reason I ask is > I have managed to get acceptable results from the same soapui > integration test suite after a few of runs (not deterministic, > sometimes its the second run, sometimes the 5, and really confusing is > sometimes it can go back to cpu bound even after a few runs). The > first 1 or 3 runs fail with EOF exceptions and such and then suddenly > I am back to 22 seconds total for the test suite which is in the > ballpark. > > I am not entirely sure how to go about resolving this because 90% CPU > on a single CPU machine and 180% (approx) on a dual CPU machine are > all in the SSL core jre code.
Setting up an SSL/TLS connection IS extremely cpu intensive and time consuming. Once setup, it's not bad and is about 80% the speed of a non- encrypted connection. Couple questions: 1) What version of CXF are you using? There was a bug in some older versions that prevented keep-alives from working properly so a new connection had to be established for each request. 2) Are you creating a new proxy for each request? If so, don't do that. Re- use them. Otherwise, a new connection is made per proxy. -- Daniel Kulp [email protected] http://dankulp.com/blog
