-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Michael
On 10/9/19 11:40, Michael Osipov wrote: > Am 2019-10-07 um 16:39 schrieb Christopher Schultz: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> All, >> >> I recently gave a presentation on locking-down Apache Tomcat[1] >> and I briefly discussed the "sharp edges" present in Tomcat. Some >> of them are unnecessarily sharp and may be actually unnecessary. >> I'm going to make a few proposals to remove functions from >> Tomcat. >> >> Proposal: Remove APR connector >> >> Justification: >> >> The APR connector was once used to provide superior I/O when >> compared to the only other available I/O mechanism available in >> Java: blocking I/O. Specifically, the APR connector allowed >> Tomcat to wait for keepalive requests on a connection to in a >> non-blocking fashion which was not possible with Java BIO-based >> connectors. >> >> The introduction of NIO into Java back in Java 1.4 (!!) changed >> things, and NIO support was added to Tomcat in 6.0. Now that it >> has had time to mature, the NIO connector is superior to the APR >> connector in several ways: >> >> 1. NIO connector allows non-blocking TLS handshakes 2. NIO >> connector uses less (Tomcat-owned) native code >> >> The first item improves performance and availability and the >> second item improves stability (and thus availability). >> >> The last advantage which (until recently) made the APR connector >> still very useful was the ability to use the OpenSSL >> cryptographic library for all cryptographic operations which is >> measurably higher-performance than those typically provided by >> the JVM. >> >> This last advantage no longer exists since we have a JSSE >> provider available for OpenSSL using libtcnative. >> >> Notes: >> >> This proposal does not recommend the removal of libtcnative. Only >> the removal of the APR connector, the APR lifecycle listener, and >> the associated native code required to support those components. > > Though, I have no opion for or against. It has worked very well for > me for the last 10+ years on HP-UX for our software. I'd love to get your feedback on NIO+OpenSSL, then. > Do we have any numbers comparing performance of both for different > loads? Yes. All of Jean-Frederic's presentations[1] for the last few years at ApacheCon conferences all have slides showing the performance comparison . > Are there any drawbacks not using the APR connector? The only drawback I see from using NIO+OpenSSL is that CPU usage goes up a bit. The APR connector is apparently (slightly) more efficient in terms of CPU, but everything else seems to be just about the same -- such as throughput. > OpenSSL must stay, it always works very well. Whether or works or not isn't the issue. It's how well is performs. (Well... once it's working.) OpenSSL is a requirement because most Java cryptographic providers perform terribly. - -chris [1] http://tomcat.apache.org/presentations.html -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2eN5YACgkQHPApP6U8 pFjeSw//fTDGf9WnsSHHlyM4hZTmJaeg2PodguITTSytOopcPGBDjqm9lL0U2c+C YtmMZfSQ659IQrSfKajJqAGINTRvSe/PViAKKFMW38v7tObkGZrQG6bfEj8zcnXS jH5P2IoijTCS7nC7bJmrYoWIMN50BElynMzQ9BMQEIk39sqtOuJ270bJNI9fqtw9 zeB4lnMUv9BXliLtWdKFBH1dUOHbBJLFg3oSri5EI6CVZvbgkBlVZwAsfifQKrQF B5NwEgJEamXZX+g7opwbx/+ePrZ9Jm3d94I2C5RoAtooVhkdVz/EpfcqX+EoYhbd Ku8O/UbIZTqZgYj6qPB9Ow06M23VRbRWI6YC2FtSIoumjjt9OJBRgJhL/1E4etjQ Hl/Nl+mS2kG5EOIvIDWyvubdunhOXmtdJEaVqtMBNzaqKYNfSUlJVcx/AUs8asP4 O6ajSfOWDJW3DLkin+CDARKgFpQ0B773MyVJ2DjfU0/9eMwO85r2UuWUinabImJm l4gF70DPymXz4mrA0eRyRjNFSHPA7lj+a1X/vyIyn1nNztCfpbpwZwQYY9u+lJaP TdtHBxbKqyl6wxvQYHGPCwvbjEPlECHviUvz1RJq7Ynf9GjI8TYLVaWBMSaE4mck pXuB4KTznLW34XJ+ov3Mmyq2WeWWp+A4vnYNPL82oHPyfbU6vYE= =sE0J -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
