2017-05-18 7:04 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net> :
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 5/17/17 5:31 PM, Mark Thomas wrote: > > I got asked in the corridor at TomcatCon earlier today what the > > relative performance of the TLS handshake was with 8.5.x, the NIO > > connector and JSSE vs OpenSSL TLS implementation. > I'm curious about what exactly "TLS handshake" was intended to mean > (by the person who asked the question) in this context. > > The handshake itself does not perform any bulk transfer of encrypted > data, so the negotiated cipher suite does not matter. However... > > > Tested with: ab -n 1000 -c 2 -f TLS1.2 -Z > > ECDHE-RSA-AES128-GCM-SHA256 https://localhost:8443/test.txt > > Here the cipher suite matters very much, since the client is not only > performing the TLS handshake but also transferring the client's > request to the server and the server's response back to the client. > > Support for a particular algorithm may dominate the benchmark, here. > I only tested JSSE/OpenSSL with -k, and the actual encryption is ridiculously fast compared to the handshake. So Mark's test gives new data and, IMO, is a good "handshake performance" test where you are supposed to negotiate a usable cipher. Rémy > > What happens if you negotiate a NULL cipher for instance? Or, perform > the TLS handshake but never make an HTTP request after connecting? I > don't know of a tool that can do that out of the box (e.g. ab makes > HTTP requests, not just TLS connections) but one could be written in > Java fairly easily. > > > test.txt is a 3 byte text file. > > > > The results were: JSSE: 17 reqs/sec OpenSSL: 23 reqs/sec > > > > So around a 35% increase. > > I'd like to see a NULL or very low-overhead cipher under the same > circumstances. > > > YMMV with different versions of TLS and associated ciphers, JREs, > > OpenSSl versions etc. > > Noted. ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkdK1IACgkQHPApP6U8 > pFhfQw/+NGm1CNQcFZ2qVzlCZ36W+TXhaKaBcWeiSCKw60jf/utEFycONRldm5Q3 > cRM7Nbrfx1GcPwAs8ufedOtHgsAfzp6JkpzqwVFqZjUX1GODbJhz1vaNgQgB3mL8 > YlGBoLqQIRKvQNOcTYJx5bP+tbnqARu96uINH16rMT+GQUF9nIzk+ua7ec0Goe+e > 6yO6euDrkV75uOMPArBWDDToSrQVZ9QKiliqlcYpnG2IPDMu1CGWDHZtwO1pxaLG > aMbtqea9gAj42rw3NpFjUNxqYdN4EJHhCFjIIdVCAbiqs5BZQQAjcWjaRPniq45M > ySsuBLNFqPj2sltlhZrdg7CEklvDbVvVgVIWZA21pw0wyfIofZnsiy+KsLo8q/wD > gHcOF/TkQ4pAYGVoP+wh5AnQHwze2SFTJq0RE7kE0s6cohtfXeNSH/Ga6lzbJW5d > B+vHpU8+U6X1Lpha8Hg0A1KxbP7hcANfdLTiRqZNIVMQES8p6Zh+fbIX+DlVYIFR > WLFNmFADdlZ5msxHwRjfdQ8dtL6McwyvM3kmDQeADU/YzN80bhXmr8ZHJJUevTUJ > cya5zcw5MmPrzdlavXhH0VKspbprPoJxrd9llRU0ra5aNfUmJ4xA79jD5VxQmNL/ > Cglw5DT8QoxG3knjZEQ8YLRj0gq0NrQXQmzowxqekfMcyNc2EGg= > =+yjT > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >