Hello,
could you measure the time it takes to initialize all the keys and
Key/Trustmanagers by inserting some debug output?
I am not sure whether the certificate is checked for validity.
This could involve checking revocation list, OCSP-Call to external server, ...
Greetings,
Thomas
> -----Ursprüngliche Nachricht-----
> Von: John Dale (DB2DOM) <jcdw...@gmail.com>
> Gesendet: Donnerstag, 31. März 2022 16:50
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: Question about ssl
>
> Hi Chris;
>
> I'm measuring the time taken to process a request as reported by inspector-
> network in brave.
>
> SSL time to process through tomcat is 11ms.
>
> Same request for a smaller file using a java SSL socket is taking 50ms .. like
> this:
>
> public static SSLServerSocket getServerSocketWithCert(int port,
> InputStream pathToCert, String passwordFromCert,
> ServerSecureType type) throws IOException,
> KeyManagementException, NoSuchAlgorithmException,
> CertificateException, KeyStoreException,
> UnrecoverableKeyException
> {
> X509TrustManager[] tmm;
> X509KeyManager[] kmm;
> KeyStore ks = KeyStore.getInstance(instance);
> ks.load(pathToCert, passwordFromCert.toCharArray());
> tmm=tm(ks);
> kmm=km(ks, passwordFromCert);
> SSLContext ctx = SSLContext.getInstance(type.getType());
> ctx.init(kmm, tmm, null);
> SSLServerSocketFactory socketFactory =
> (SSLServerSocketFactory) ctx.getServerSocketFactory();
> SSLServerSocket ssocket = (SSLServerSocket)
> socketFactory.createServerSocket(port);
> return ssocket;
> }
>
> I'm using the cert at https://db2dom.com
>
> It's still a tenth of a second to process the request with this "hand rolled"
> method, but it's several orders of magnitude slower, and I'm trying to figure
> out why (I'm obsessive with response times).
>
> Sincerely,
>
> John
>
>
>
> On 3/28/22, Christopher Schultz <ch...@christopherschultz.net> wrote:
> > John,
> >
> > On 3/26/22 22:29, John Dale (DB2DOM) wrote:
> >> Can you help me understand why Tomcat's SSL handling is so much
> >> faster than hand rolling it on a regular socket?
> >
> > I think you'll need to define some terms.
> >
> > For example, what do you mean when you say "faster", and how are you
> > measuring that?
> >
> > What do you mean when you say "hand-rolling" your SSL and what is a
> > "regular socket"?
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
