Chris, You are correct. I benchmarked in both directions and performance is pretty comparable (http vs https). BTW, my application uses Java and Apache HTTP Components library to perform these file transfers.
While downloading from the server, I saw very similar %CPU and the total time taken for download was also about the same. While uploading to the server, I saw that in my situation HTTP kept %CPU in 60-80% range, while HTTPS was in 70-80% range... marginal difference. And total time taken for upload via HTTPS was about 30% more than via HTTP. I can live with this performance difference. I think we need to change Tomcat documentation slightly. See below from tomcat 6.0 documentation http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html Section: General Tips on Running SSL "Also, while the SSL protocol was designed to be as efficient as securely possible, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not." -Ajay -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] -----BEGIN PGP SIGNED MESSAGE----- Ajay, On 12/8/2010 5:24 PM, Aggarwal, Ajay wrote: > Most of the application will be over SSL for external clients. There > is one part where the clients may upload or download a huge file over > HTTP which I don't want to go through SSL. I am thinking > uploading/downloading these huge files over SSL will create lot of > stress on the server. FWIW, it's the SSL handshake that is most stressful part of the conversation. Once that's completed, the encryption on both sides is symmetric and fairly low-stress on the connection. I encourage you to benchmark your app under these conditions. It sounds like you are making performance decisions without any data to back them up. - -chris