On 02/15/2016 11:30 AM, Rémy Maucherat wrote: > 2016-02-15 10:45 GMT+01:00 Mark Thomas <ma...@apache.org>: > >> Looks like such a claim is indeed over simplified. >> >> Having tweaking the test so the same cipher is used, NIO+JSSE is about >> 10% faster than NIO+OpenSSL :( >> >> Enabling direct buffers didn't seem to help. >> > > Well, you're probably using an unoptimized cipher then. We'd need to > determine the cipher(s) which should be tested. > > For example, with OpenSSL, ECDHE-RSA-AES256-GCM-SHA384 is fast (that's what > ab connects with), while DHE-RSA-AES128-SHA256 is slow (ab connects to JSSE > with that, so I forced it with -Z to compare, and OpenSSL is slightly > slower than JSSE with it). With my OpenSSL, ECDHE-RSA-AES256-GCM-SHA384 is > an order of magnitude faster than DHE-RSA-AES128-SHA256 (and it does sound > more secure as well). JSSE doesn't have ECDHE-RSA-AES256-GCM-SHA384 > however. Also my Firefox 44 refuses to handshake with JSSE with its default > configuration (there: ssl_error_no_cypher_overlap) :( > > So as I was saying, this SSL testing is hard ;)
Using a cipher that allow HTTP/2 to work with the standard browsers (like firefox and chrome) make sense otherwise we would be benching an old "unsafe" cipher. I can't rerun my apache con tests right now but that time AES128-GCM-SHA256 was the cipher I used. Cheers Jean-Frederic --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
