Re: NIO + JSSE + NIO + OpenSSL

Mon, 15 Feb 2016 10:47:52 -0800 

On 15/02/2016 16:47, Rémy Maucherat wrote:
> 2016-02-15 14:57 GMT+01:00 jean-frederic clere <jfcl...@gmail.com>:
> 
>> Using a cipher that allow HTTP/2 to work with the standard browsers
>> (like firefox and chrome) make sense otherwise we would be benching an
>> old "unsafe" cipher.
>>
>> I can't rerun my apache con tests right now but that time
>> AES128-GCM-SHA256 was the cipher I used.
>>
>> I had done some extensive (?) benchmarking 6 months ago (more or less),
> and things are quite different now, cool :)
> 
> Looking at the cipher list from my OpenSSL (Fedora 23 OpenSSL), there are
> only 8 ciphers left for the cipher suite that Tomcat uses [and TLS 1.2 and
> a RSA certificate]. Half with DHE, half with ECDHE. ab refuses to connect
> to JSSE with ECDHE and AES 256. With AES 128, a recent JDK 8 worked, but
> not OpenJDK 8 from Fedora [which is unusable at the moment since browsers
> refuse to connect as well].
> 
> So here's the result array (in k reqs/s):
> ___________________________________________            OpenSSL
> JSSE        APR
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH            63        NA
> 67
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH____             37        NA
> 37
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH____                22        30
>     22
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH______               20        28
>     20
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH             65        30
> 70
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH____                45        29
>     45
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH____              22        29
>     23
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH______             20        28
> 20
> 
> So OpenSSL is much faster for me for ECDHE, but not with DHE. Browsers use
> ECDHE.

I tested ECDHE-RSA-AES128-GCM-SHA256 which is Mozilla's recommended
cipher for 'modern' httpd configurations.

I saw a 20% improvement with NIO+OpenSSL compared to NIO+JSSE on windows.

The figures are going to vary with OS, test client, target resource etc.
but it does seem reasonable to say that - in the general case -
NIO+OpenSSL is a better choice than NIO+JSSE.

Thanks all. I think I have enough data to fill in the gaps in my
presentation tomorrow.

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to