2017-05-17 23:31 GMT+02:00 Mark Thomas <ma...@apache.org>: > Hi all, > > I got asked in the corridor at TomcatCon earlier today what the relative > performance of the TLS handshake was with 8.5.x, the NIO connector and JSSE > vs OpenSSL TLS implementation. > > This might be something that is of interest to a wider audience so here > goes... > > The following results are very rough and ready and generated with my > (slightly aging now) laptop (4 cores). > > I tested trunk but the code is close enough to 8.5.x for this purpose. > > I used exacty the same config for each test. The only change was to > add/remove the tc-native library to enable/disable OpenSSL. > > Tested with: > ab -n 1000 -c 2 -f TLS1.2 -Z ECDHE-RSA-AES128-GCM-SHA256 > https://localhost:8443/test.txt > > test.txt is a 3 byte text file. > > The results were: > JSSE: 17 reqs/sec > OpenSSL: 23 reqs/sec > > So around a 35% increase. > > JRE: Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) > OpenSSL: 1.0.2k > > YMMV with different versions of TLS and associated ciphers, JREs, OpenSSl > versions etc. > > I did another test run on my own since I had never tested handshake. Platform: Fedora 25 with its default JVM (openjdk-1.8.0.131-1.b12.fc25.x86_64), OpenSSL 1.0.2k, a Skylake 6700k CPU.
The results are in req/s: ab -n 10000 -c 20 -f TLS1.2 -Z ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/tomcat.gif NIO OpenSSL: 1900 NIO JSSE: 650 APR: 1900 + -k (and also a bigger -n to make the test meaningful): NIO OpenSSL: 53800 NIO JSSE: 24600 APR: 56900 My conclusion is also that the handshake is much faster with JSSE/OpenSSL compared to vanilla JSSE, despite the code being complex and having a ton of native calls. Testing localhost probably introduces a heavy bias as the ab client also uses a lot of CPU, the real performance of vanilla JSSE on my Fedora platform is actually worse than what it looks like. So on Fedora 25, it could be around 4 times slower for handshaking. The handshake seems to be marginally slower with APR compared to JSSE/OpenSSL for some reason, but then the encryption itself is faster. Undoubtedly the SSL engine adds a bit of overhead to encryption. Rémy
