-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/18/17 9:47 AM, Mark Thomas wrote: > On 18/05/2017 06:04, Christopher Schultz wrote: Mark, > > On 5/17/17 5:31 PM, Mark Thomas wrote: >>>> I got asked in the corridor at TomcatCon earlier today what >>>> the relative performance of the TLS handshake was with 8.5.x, >>>> the NIO connector and JSSE vs OpenSSL TLS implementation. > I'm curious about what exactly "TLS handshake" was intended to > mean (by the person who asked the question) in this context. > >> They are using Tomcat in a scenario where clients are making >> single requests (so keep alve doesn't help). Given that the >> handshake uses asymmetric encryption which is more expensive that >> symmetric encryption (which is why the handshake is used to >> establish a shared secret so symmetric encryption can used for >> the actual data) they wanted a sense of the performance benefit - >> if any - of NIO and 8.5.x with OpenSSL vs NIO and 8.5.x with >> JSSE. > > The handshake itself does not perform any bulk transfer of > encrypted data, so the negotiated cipher suite does not matter. > However... > >>>> Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z >>>> ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt > > Here the cipher suite matters very much, since the client is not > only performing the TLS handshake but also transferring the > client's request to the server and the server's response back to > the client. > Support for a particular algorithm may dominate the > benchmark, here. > >> Agreed. But it is the handshake that dominates the timings (if >> you add -k to use keep-alive the req/sec are an order of >> magnitude higher). Right, but tat only tests one single handshake for many requests, when they wanted to know the handshake improvement. >> The cipher suite was the default one chosen by by one of the >> configs (I forget which). > >> The cipher suite will affect the results since it also impacts >> the enctrpyion used during the handshake but for any 'reaosnably' >> secure cipher suite, I'd expect similar results in terms of the >> relative performance. The cipher suite chosen does not affect the performance of the handshake at all, since the handshake is 100% asymmetric. That's why I suggested using a NULL cipher if you want to test just the handshake. Honestly, I would have made a TLS connection and then town it down had I been asked the same questions. But here it's clear that the client wants to know "do I get a performance benefit swapping-out JSSE for OpenSSL. I think we all knew what the answer was. Jean-Frederick's slides from yesterday I believe include such benchmarks as well (NIO/OpenSSL vs NIO/JSSE vs APR/OpenSSL) . - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlke6BUACgkQHPApP6U8 pFgx4BAAw1VDMee6M9B2BqcNnXgFTvq4ReVJNBJaXQiNWSPk+GAQD1bR9gB2/gxO 6/kKaOLEqeFrl54qCo1hHAgEtZXdVV8/Bhx1KwxVSmN5qV1ox4uuul4P5KMMX/xY Eay1o1mwbee5ayZP3DVcwy8kVwpGAAnrmlSzxTz4LEJVRJAnAjoxx6RV3hGSWFZs S5HAyCswz8mBQq8DobUr7BG3GmT2KbXL0QKNR28cwrIRXlMnINzXnkcwT0HjpFiE Zb3fIm6KmDdedtgs8PsCUo6BR13e3y2td2ont4YBz7HC1g9OeYt/3sAPC4rdeBlY pTFqwvnFA81+9UXIOs+5DSAtn/z7zNYolqshR815+s5Kp1B4UE+oSWeERc4cTZQU yKd2nFx4dE+6aZKlCjFeb5cs4OmJTShX7aRXXSNFTmixd3HSvj0Xa0NZ9kVwzkji SpMExUJ5dEyRrVaYbfEhORs6BGeXgnF/ueKvW5VPfs4ZCswD/MWfrxAxMkT8BdHn 7+hkX3J0zWxJoWf6aC3HrjyPXz3ia06+7xpIelJ8vfmHf5X06i1KEv1yo1rG05/4 UnPsxCV1G1xD9Y5qlU+Md6vmLCJ0OBH1+hSlQT4Ib7WHdy6oVQbgSP8cfBLGJR0J +FlzeuXlu54GnYRDd0CSIPc/CEOpcSxesW+jGk+ru6G+Dull5hw= =7/Wz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org