[openssl-users] OpenSSL performance issue

Dave Thompson dthompson at prinpay.com
Fri Dec 19 10:50:25 UTC 2014 

> From: openssl-users On Behalf Of Kurt Roeckx
> Sent: Thursday, December 18, 2014 16:36

> On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote:
> > ***************************************
> > This is for *Client -> Agent*
> > ***************************************
> [...]
> >         Version 3.1
> [...]
> >         cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
> [...]
> > ***************************************
> > This is for *Client -> Proxy Server*
> > ***************************************
> >         cipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> 
> So the differnce here is that jave picks a DHE ciphersuite while
> otherwise you didn't.  DHE gives you forward secrecy but is
> slower.
> 
Good catch, I missed that. But, it shouldn't be many *seconds* 
unless this is very poor hardware. Especially since Java 7 
(and IIRC 6) uses, as you can see later in the trace, 768 bits.
(Except export suites use 512 per RFC. Java 8 defaults DHE 
to 1024 and offers some new options for better.)

Although that reminds me, on the *first* session in a process, 
there might be delay to initialize SecureRandom, depending on 
the platform and options/environment. But not for all sessions.

To OP: assuming this delay happens on non-initial sessions 
more than rarely, can you try putting jconsole or the newer 
(but more complicated) "Java Mission Control" tools on 
the JVM running the proxy server while driving it with 
as many requests as you can, to get some (rough) idea 
what's going on: is it CPU bound? which threads? if you can 
capture stacks, which methods? Is it swapping?

One other thought: normally JSSE server uses a key manager 
that is preloaded from a JKS. Are you using an unusual 
key manager like a PKCS#11 "token", or even a custom one 
that does something costly like fetching from LDAP?

> You're also not using session resumption which might speed up the
> whole process.  It at least looks like that proxy server might
> support that.
> 
I assumed OP's traces are the first session. Besides OpenSSL 
client doesn't cache by default; you must code to enable it.

> You also seem to be using an old version of openssl that only
> supports TLSv1, I suggest you upgrade.
> 
Good in general, but very unlikely to change JSSE-server performance.

More information about the openssl-users mailing list