[jboss-jira] [JBoss JIRA] (WFWIP-160) Fix throughput and response time differences between TLS 1.2 and TLS 1.3

Richard Opalka (Jira) issues at jboss.org
Wed Nov 20 15:30:01 EST 2019 

    [ https://issues.jboss.org/browse/WFWIP-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815798#comment-13815798 ] 

Richard Opalka commented on WFWIP-160:
--------------------------------------

I profiled this TLS 1.3 issue and I agree the performance regression is pointing to io.undertow.protocols.ssl.SslConduit$5.run() anonymous inner class.
But my investigation shows it is not the locking problem at the undertow level but it is a problem at the java level (see performance-hotspot.png attachment).
I have no ideas how we could solve this java level performance regression at the underthow level.

My profiling on JDK 11.0.5 LTS shows TLS 1.3 is almost 3 times slower than TLS 1.2 there (same observation from [~jstourac])
But when I switched to JDK 13.0.1 I see TLS 1.3 is just 0,5 times slower than TLS 1.2 there (quite a huge improvement).
Obviously TLS 1.3 performance is significantly improving with newer JDK releases.

Maybe [~swd847] might have some ideas how we could try to solve this java level regression in undertow?
[~jstourac] [~flavia.rainone] [~fjuma] ^^^

> Fix throughput and response time differences between TLS 1.2 and TLS 1.3
> ------------------------------------------------------------------------
>
>                 Key: WFWIP-160
>                 URL: https://issues.jboss.org/browse/WFWIP-160
>             Project: WildFly WIP
>          Issue Type: Task
>          Components: Web (Undertow)
>            Reporter: Farah Juma
>            Assignee: Richard Opalka
>            Priority: Blocker
>         Attachments: jstourac-report.zip, results-tlsv12.zip, results-tlsv13.zip
>
>
> Performance with TLS 1.3 on WildFly appears to be worse than with TLS 1.2. In particular, throughput is much lower (roughly three times lower) and response time is much higher (roughly three times higher), which is not supposed to be the case. The underlying issue seems to be in Undertow or XNIO, that is the code that actually gets invoked during the TLS handshake process. Looking at CPU time, there is significantly more time being spent in [io.undertow.protocols.ssl.SslConduit$5.run()|https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1070-L1103] with TLS 1.3 than with TLS 1.2.
> Steps to reproduce (taken from EAP7-1022):
> 1. Build WildFly using the following feature branches or download a QE build of WildFly [here|https://eap-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/undertow-custom-server-build/53/artifact/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT.zip]:
> https://github.com/fjuma/wildfly-elytron/tree/ELY-1706
> https://github.com/fjuma/wildfly-core/tree/WFCORE-4172 (Update the Elytron version in the pom.xml file to use the version built in the previous step)
> https://github.com/fjuma/wildfly/tree/WFCORE-4172 (Update the Core version in the pom.xml file to use the version built in the previous step)
> 2. Download and unzip JMeter from https://jmeter.apache.org/download_jmeter.cgi
> 3. Download attached test plan [TLSv1.3.jmx|https://issues.jboss.org/secure/attachment/12449098/12449098_TLSv1.3.jmx]
> 4. Start server with JDK11 and configure with TLSv1.3:
> {code}
> $ JAVA_HOME=/path/to/java/openjdk-11.0.2 <EAP_HOME>/bin/standalone.sh
> $ <EAP_HOME>/bin/jboss-cli.sh -c
> /subsystem=elytron/key-store=tls13:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
> /subsystem=elytron/key-store=tls13:generate-key-pair(alias=localhost,algorithm=RSA,key-size=1024,validity=365,credential-reference={clear-text=secret},distinguished-name="CN=localhost")
> /subsystem=elytron/key-store=tls13:store()
> /subsystem=elytron/key-manager=tls13:add(key-store=tls13,credential-reference={clear-text=secret})
> /subsystem=elytron/server-ssl-context=tls13:add(key-manager=tls13,protocols=["TLSv1.3"])
> batch
> /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
> /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tls13)
> run-batch
> reload
> {code}
> 5. Start jmeter with JDK 11 and downloaded test plan
> {code}
> export JAVA_HOME=/path/to/java/openjdk-11.0.2; bin/jmeter -n -t TLSv1.3.jmx -e -l tlsv13.log -o results-tlsv13
> {code}
> 6. Set server to use TLSv1.2
> {code}
> /subsystem=elytron/server-ssl-context=tls13:write-attribute(name=protocols,value=["TLSv1.2"])
> reload
> {code}
> 7. Repeat same for TLSv1.2
> {code}
> export JAVA_HOME=/path/to/java/openjdk-11.0.2; bin/jmeter -n -t TLSv1.3.jmx -e -l tlsv12.log -o results-tlsv12
> {code}
> 8. Compare results (there will be an index.html file in the results-tlsv12 and results-tlsv13 directories)



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list