-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/17/17 5:31 PM, Mark Thomas wrote: > I got asked in the corridor at TomcatCon earlier today what the > relative performance of the TLS handshake was with 8.5.x, the NIO > connector and JSSE vs OpenSSL TLS implementation. I'm curious about what exactly "TLS handshake" was intended to mean (by the person who asked the question) in this context. The handshake itself does not perform any bulk transfer of encrypted data, so the negotiated cipher suite does not matter. However... > Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z > ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt Here the cipher suite matters very much, since the client is not only performing the TLS handshake but also transferring the client's request to the server and the server's response back to the client. Support for a particular algorithm may dominate the benchmark, here. What happens if you negotiate a NULL cipher for instance? Or, perform the TLS handshake but never make an HTTP request after connecting? I don't know of a tool that can do that out of the box (e.g. ab makes HTTP requests, not just TLS connections) but one could be written in Java fairly easily. > test.txt is a 3 byte text file. > > The results were: JSSE: 17 reqs/sec OpenSSL: 23 reqs/sec > > So around a 35% increase. I'd like to see a NULL or very low-overhead cipher under the same circumstances. > YMMV with different versions of TLS and associated ciphers, JREs, > OpenSSl versions etc. Noted. ;) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkdK1IACgkQHPApP6U8 pFhfQw/+NGm1CNQcFZ2qVzlCZ36W+TXhaKaBcWeiSCKw60jf/utEFycONRldm5Q3 cRM7Nbrfx1GcPwAs8ufedOtHgsAfzp6JkpzqwVFqZjUX1GODbJhz1vaNgQgB3mL8 YlGBoLqQIRKvQNOcTYJx5bP+tbnqARu96uINH16rMT+GQUF9nIzk+ua7ec0Goe+e 6yO6euDrkV75uOMPArBWDDToSrQVZ9QKiliqlcYpnG2IPDMu1CGWDHZtwO1pxaLG aMbtqea9gAj42rw3NpFjUNxqYdN4EJHhCFjIIdVCAbiqs5BZQQAjcWjaRPniq45M ySsuBLNFqPj2sltlhZrdg7CEklvDbVvVgVIWZA21pw0wyfIofZnsiy+KsLo8q/wD gHcOF/TkQ4pAYGVoP+wh5AnQHwze2SFTJq0RE7kE0s6cohtfXeNSH/Ga6lzbJW5d B+vHpU8+U6X1Lpha8Hg0A1KxbP7hcANfdLTiRqZNIVMQES8p6Zh+fbIX+DlVYIFR WLFNmFADdlZ5msxHwRjfdQ8dtL6McwyvM3kmDQeADU/YzN80bhXmr8ZHJJUevTUJ cya5zcw5MmPrzdlavXhH0VKspbprPoJxrd9llRU0ra5aNfUmJ4xA79jD5VxQmNL/ Cglw5DT8QoxG3knjZEQ8YLRj0gq0NrQXQmzowxqekfMcyNc2EGg= =+yjT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org