I ran these same tests with Java 9 runtime today and have updated the
blog to include these numbers[1]. I'm pasting the summary for Java 9 here:
- Both for producer and consumer, there's a *drastic improvement in the
JRE shipped SSLEngine numbers, in almost all metrics, in Java 9 as
compared to its counterpart in Java 8*. It's especially prominent in
messages with higher sizes.
- There's not much difference in the numbers for WildFly OpenSSL, in
Java 9, as compared to its Java 8 counterpart. In fact, the consumer
performance numbers of WildFly OpenSSL in Java 9 have dropped slightly
when compared to Java 8. The producer performance in Java 9 with WildFly
OpenSSL have however improved slightly when compared to Java 8.
- When the numbers of producer and consumer metrics of WildFly OpenSSL
with Java 9 runtime are compared with the JRE shipped SSL engine in Java
9, *WildFly OpenSSL still out-performs the one shipped in JRE*.
Like in the Java 8 runs, all default configs and settings were used, not
just for Kafka but even the JRE (i.e. no explicit choice of cipher suites).
[1] https://jaitechwriteups.blogspot.com/2017/10/kafka-with-openssl.html
-Jaikiran
On 30/10/17 5:33 PM, Ismael Juma wrote:
If Java 9 is used by both clients and brokers, AES GCM is used by default.
I did a quick test a while back and there was a significant improvement:
https://twitter.com/ijuma/status/905847523897724929
Ismael
On Mon, Oct 30, 2017 at 11:57 AM, Radu Radutiu <rradu...@gmail.com> wrote:
If you test with Java 9 please make sure to use an accelerated cipher suite
(e.g. one that uses AES GCM such as TLS_RSA_WITH_AES_128_GCM_SHA256).
Radu
On Mon, Oct 30, 2017 at 1:49 PM, Jaikiran Pai <jai.forums2...@gmail.com>
wrote:
I haven't yet had a chance to try out Java 9, but that's definitely on my
TODO list, maybe sometime this weekend.
Thanks for pointing me to KAFKA-2561. I had missed that.
-Jaikiran
On 30/10/17 4:17 PM, Mickael Maison wrote:
Thanks for sharing, very interesting read.
Did you get a chance to try JDK 9 ?
We also considered using OpenSSL instead of JSSE especially since
Netty made an easy to re-use package (netty-tcnative).
There was KAFKA-2561
(https://issues.apache.org/jira/browse/KAFKA-2561) where people shared
a few numbers and what would be need to get it working.
On Mon, Oct 30, 2017 at 8:08 AM, Jaikiran Pai <jai.forums2...@gmail.com
wrote:
We have been using Kafka in some of our projects for the past couple of
years. Our experience with Kafka and SSL had shown some performance
issues
when we had seriously tested it (which admittedly was around a year
back).
Our basic tests did show that things had improved over time with newer
versions, but we didn't get a chance to fully test and move to SSL for
Kafka.
Incidentally, I happened to be looking into some other things related
to
SSL
and decided to experiment with using openssl as the SSL provider for
Kafka.
I had heard OpenSSL performs better than the engine shipped default in
JRE,
but hadn't ever got a chance to do any experiments. This past few
weeks,
I
decided to spend some time trying it. I have noted the experimentation
and
the performance numbers in my blog[1]. The initial basic performance
testing
(using the scripts shipped in Kafka) does show promising improvements.
Like
I note in my blog, this was a very basic performance test just to see
if
OpenSSL can be pursued as an option (both in terms of being functional
and
performant) if we do decide to.
I know some of the members in these lists do extensive performance
testing
with Kafka (and SSL), so I thought I will bring this to their notice.
[1] https://jaitechwriteups.blogspot.com/2017/10/kafka-
with-openssl.html
-Jaikiran
