OpenSSL vs SSLEngine performance gain
151 views
Skip to first unread message
alarm...@gmail.com
Apr 20, 2017, 1:51:11 PM4/20/17
to Netty discussions
What kind of performance gain is to be expected when switching from the JDK provided SSLEngine to OpenSSL?
I know this is a difficult question to answer because it depends on a lot of factors. But is OpenSSL the best thing since sliced bread and should always be used or are there any performance related reasons not the use OpenSSL?
I know this is a difficult question to answer because it depends on a lot of factors. But is OpenSSL the best thing since sliced bread and should always be used or are there any performance related reasons not the use OpenSSL?
Norman Maurer
Apr 20, 2017, 1:53:36 PM4/20/17
to ne...@googlegroups.com
The difference can be huge depending on the cipher / java version etc.
See for example here:
So I would generally recommend using the SslProvider.OPENSSL.
On 19. Apr 2017, at 17:07, alarm...@gmail.com wrote:
What kind of performance gain is to be expected when switching from the JDK provided SSLEngine to OpenSSL?
I know this is a difficult question to answer because it depends on a lot of factors. But is OpenSSL the best thing since sliced bread and should always be used or are there any performance related reasons not the use OpenSSL?
--
You received this message because you are subscribed to the Google Groups "Netty discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netty+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netty/67110da6-9461-422e-a547-148bbb76f2af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Veentjer
Apr 24, 2017, 1:05:17 PM4/24/17
to Netty discussions
Thanks for the reply.
The TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 give indeed a big boost; 350%
But when using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (the default ciphersuite from SSLEngine on my testboxes) the improvements were very marginal. At least in my benchmark.
The TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 give indeed a big boost; 350%
But when using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (the default ciphersuite from SSLEngine on my testboxes) the improvements were very marginal. At least in my benchmark.
Martin Furmanski
May 16, 2018, 2:22:50 PM5/16/18
to Netty discussions
It's because CBC requires the use of an HMAC which cannot be accelerated. With GCM you bake it in.
Norman Maurer
May 16, 2018, 2:24:11 PM5/16/18
to ne...@googlegroups.com
+1
--
You received this message because you are subscribed to the Google Groups "Netty discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netty+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netty/f78839eb-d8ea-4759-bc0e-2f69ce179f51%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages