2015-05-21 19:48 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net >:
> Rémy, > > On 5/18/15 11:46 AM, Rémy Maucherat wrote: > > Early performance results show the NIO(2) connector with SSL being > > equivalent or maybe even slightly faster than the APR connector, with > JSSE > > very far behind. With SSL being nearly mandatory in the new protocols, > SSL > > performance becomes a very important factor. > > Jean-Frederic has no doubt shared with you his investigations into > (non-) accelerated crypto in the JVM due to various bugs. It will be > interesting to see what kind of performance improvement JSSE gets when > the JVM can finally stop doing all that crypto in Java-land. > I got a GCM fix that improves AES-GCM, but it takes forever to make it into releases. Maybe Java 9 I guess ;) > > If the performance is comparable, I'd say that sticking with the > vendor-supported JSSE crypto is a better bet: less code to maintain, > fewer code paths to test for all configurations, etc. > > But this is still a very interesting project nonetheless. It's entirely > possible that nobody at Oracle/OpenJDK/etc. cares about > hardware-accelerated crypto, and it might not come along any time soon. > > In that case, Tomcat does really need a TLS solution with decent > performance. > > OpenSSL still looks much better [as demonstrated in the APR connector] [even with the fix mentioned above]. Another benefit is it has many more features [ciphers] and is consistent across JVM versions. And as you say it's an interesting small experiment. Rémy