Reputation: 69
SunJCE vs OpenSSL
Recently I did replacement of SunJCE with OpenSSLJCE, a private package which implements JCE using Openssl primitives(native library) for TLS termination.
Around 35% of performance improvement has been observed by using OpenSSLJCE.
My questions are,
What would be reason of this performance gain? Is it just because openssl is executing in native code?
I believe that SunJCE is decrypting(TLS termination) the content which is in java heap, while native Openssl needs to copy the content to process heap then decrypt the content and send it back to java heap, which involves two copies. Is my understanding correct?
Please provide your suggestions and references.
Upvotes: 2
Views: 980
Answers (1)
Reputation: 858
I'll try to answer your first question by providing my example. I've created a JMeter test to create TLS connections to a Java application. As load get increased Java application had a significant challenge to handle TLS handshakes as it seems a very expensive operation for Java. I've run another test on the same hardware, where Nginx was responsible to terminate TLS and proxy TCP connection to Java application. Nginx (which is using OpenSSL) had no issues at all to handle the same load.
OpenSSL is definitely using hardware acceleration for its crypto processing.
The following article compares performance of different JCEs and the role of hardware acceleration: https://developer.ibm.com/javasdk/2018/02/16/performance-ibm-jdk-security-ibmjceplus/
Upvotes: 2
Related Questions
- Why does the result of OpenSSL differ for TLS versions?
- SSL compatibilty in java 1.4
- Changes in SSLEngine usage when going up to TLSv1.3
- Enable TLSv1.2 and TLS_RSA_WITH_AES_256_CBC_SHA256 Cipher Suite
- TLS 1.2 on Java 6
- Java 1.6 and TLS 1.1
- SSL/TLS version compatibility?
- C client with OpenSSL + Java server : javax.net.ssl.SSLHandshakeException: no cipher suites in common
- The SSL / TLS handshake between a "Java 1.7 TLS 1.2 server" and a "Java 1.6 client"
- TLS Performance in Java?