6

I've enabled SSL on my proxy server and found that the performance has dropped from around 17k requests per second to 5k request per second. I followed the code in Netty's secure chat example and I don't think I've done anything differently.

I've written a dummy server to see if I've made some mistakes on my proxy. Running the dummy SSL server in normal http mode is capable of around 50k request per second. When I enable SSL on the dummy server that drops to 28k requests per second.

Is there anything I'm doing wrong? Is there something I'm missing?

I'm using JDK 6 to compile the code, running on JDK 7u4. I'm using Netty-3.5.0 as well. I'm using zeusbench to run the test. The test parameters are: zeusbench -n 10000 -c 100 -k -C RC4_SHA "https:///"

Source: http://pastebin.com/iahqr3zT

Edit 1: I've run the dummy server through JProfiler. The SSLContext.createSSLEngine call in the pipeline factory takes (on average) 55,005 microseconds (that average has been calculated from 540 invocations of the method).

The SslHandler.handshake call in channelConnected takes (on average) 46,284 microseconds (that average has been calculated from 540 invocations of the method).

I understand there isn't much Netty can do about the call to createSSLEngine, but could the SslHandler.handshake be tuned any better? Its taking almost as long as the generation of the engine itself.

Brendt Lucas
  • 96
  • 6
  • Do you have the possibility to terminate the SSL before the request is reaching your server? Ideally you could use dedicated hardware to terminate the SSL. Amazons Elastic Load Balancer can do this as well. What is the length of the SSL key? The length of the key has impact on performance http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml – John P Jun 05 '12 at 16:10
  • @JohnP Thanks for the reply. Terminating the SSL before reaching my server is not a possibility. Thanks for the tip on the length of the SSL key, its 2048 – Brendt Lucas Jun 05 '12 at 18:50

2 Answers2

0

Encryption/Decryption w/ java is really slow.
You should not use SSL implementation w/ java for the performance.
There are several ways to avoid java for SSL connection:

  1. Configure proxy server which provide SSL connection infront of your java server
  2. Implement ssl handshaking library w/ openssl use the library in netty code by jni
Jung-Haeng Lee
  • 11
  • 2
    Really slow compared to what? There are millions of websites running e.g. Tomcat with SSL that are counter-examples to these assertions. I've been running one myself for several years. – user207421 Oct 16 '12 at 23:12
  • 2
    Here's one source for the "java is slow" comment in this answer: http://netty.io/wiki/requirements-for-4.x.html#benefits-of-using-openssl – cdeszaq Jul 24 '17 at 15:58
0

You could try re-using ssl sessions for existing connections, this reduces the ssl handshake and should give you a general boost.

keios
  • 462
  • 4
  • 10