Jean-Frederic Clere, profile picture
Uploaded byJean-Frederic Clere
PDF, PPTX437 views

Tomcat openssl

The document discusses using OpenSSL to improve performance in Tomcat. It describes Tomcat connectors like NIO, NIO2, and APR and the new OpenSSL implementation. Performance tests show the OpenSSL implementation outperforms JSSE and has throughput similar to NIO and NIO2. APR is not needed. OpenSSL is currently needed for HTTP/2 support until Java 9. The presentation concludes that OpenSSL significantly boosts performance over JSSE.

Embed presentation

Download as PDF, PPTX
Using OpenSSL to boostUsing OpenSSL to boost TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
What I will coverWhat I will cover ● Who I am. ● Connectors – NIO, NIO2, APR – OpenSSLImplementation – HTTP/2 and ALPN in Tomcat. ● Performance tests – With ab and h2load as client load generator. ● Questions? 12/16/16 2
Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 12/16/16 3
TomcatTomcat 12/16/16 4
What is a Connector?What is a Connector? ● Tomcat's interface to the world ● Binds to a port ● Understands a protocol and possible upgrades. ● Dispatches requests (example) – protocol="org.apache.coyote.http11.Http11AprProtocol" – protocol="org.apache.coyote.http11.Http11NioProtocol" – protocol="org.apache.coyote.http11.Http11Nio2Protocol" 12/16/16 5
Tomcat ConnectorsTomcat Connectors ● Java Non-blocking I/O (NIO) ● Native / Apache Portable Runtime (APR) ● Java NIO.2 Technically, there are combinations of all of the above with HTTP and AJP protocols. The presentation focuses on HTTP and on NIO/NIO2. 12/16/16 6
What is new in Tomcat 9 / 8.5What is new in Tomcat 9 / 8.5 ● Property sslImplementationName – Allows replacement of the SSL code ● OpenSSLImplementation (use OpenSSL) ● JSSEImplementation (use JSSE) ● UpgradeProtocol – Allows protocol upgrade from HTTP/1.1 ● HTTP/2 (yes) ● Websocket (cool) / Speedy (no plan to support it). 12/16/16 7
Why a new SSLImplementationWhy a new SSLImplementation ● JSSE: – Very slow – Missing features: like ALPN (JEP 244: TLS Application-Layer Protocol Negotiation) – Hardware acceleration very partial (like AES in java8) ● Native connector: – Fast but a lot of native code – Use OpenSSL for SSL/TLS. ● New OpenSSL implementation: – Fast. – Uses only a OpenSSL for native code (no native socket, poller etc). – Works with NIO and NIO2. – Uses OpenSSL for SSL/TLS. (warp, unwarp, handshake etc). 12/16/16 8
OpenSSLImplementationOpenSSLImplementation ● Code originates from netty-tcnative a forked Tomcat Native ● Prototype (last year): – Done with the BeFriNe University – Tested and ported to tc_trunk last summer ● SSL Configuration compatible with the JSSE connection (*) ● Uses keystores (*) ● Uses SSL BIO to wrap/unwarp, handshake ● Uses java NIO or NIO2 Sockets for the reads and writes ● Automatically enabled when TC native is installed/enabled (*) 12/16/16 9
How TLS is done in TomcatHow TLS is done in Tomcat 12/16/16 10 Tomcat JSSE Con. Javastdlib JSSE SSL Engine NIO/NIO2 Tomcat Native APR JNIs Webserver APR Internals APR Connector OpenSSL OS Sockets JavaC/Native Webserver OpenSSL Impl.
How does that worksHow does that works SSLContext JSSESSLContext OpenSSLContext SSLEngine SSLContext OpenSSLEngine createSSLEngine() createSSLEngine() wrap() unwrap() getSession() etc... Overrides 12/16/16 11
How does wrap worksHow does wrap works wrap(plaintext, encrypted) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writePlainTextData write_ToSSL SSL_write readEncryptedData readFromBIO BIO_read 12/16/16 12
How does unwrap worksHow does unwrap works unwrap(encrypted, plaintext) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writeEncryptedData writeToBIO BIO_write readPlaintextData readFromSSL SSL_read 12/16/16 13
Connector PerformanceConnector Performance ● Compare connectors throughput against each other ● Only static content was compared, varying file sizes ● Run on “fast” machines, 10 Gbps local network ● Tests: – Compare the connectors (trunk) NIO, NIO2 and APR – Using JSSE and OpenSSL – First without “sendfile” 12/16/16 14
Connector Throughput (c8)Connector Throughput (c8) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 Concurency 8 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 15
Connector Throughput (c40)Connector Throughput (c40) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 Concurency 40 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 16
Connector Throughput (c80)Connector Throughput (c80) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 17
Connector CPU UseConnector CPU Use 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 8 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 concurency 40 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size CPUusage 12/16/16 18
Connector TC8.5Connector TC8.5 12/16/16 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 320 tomcat 8.5 coyote_apr_https coyote_nio_jssehttps coyote_nio_opensslhttps File Size Kbytes/second 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 320 tomcat8.5 coyote_apr_https coyote_nio_jssehttps coyote_nio_opensslhttps File Size CPUusage
Connector PerformanceConnector Performance ● With sendfile – In fact with TLS/SSL sendfile is emulated 12/16/16 20
Connector Throughput (c8)Connector Throughput (c8) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 8 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputinKbytes/sec 12/16/16 21
Connector Throughput (c40)Connector Throughput (c40) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 40 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputinKbytes/sec 12/16/16 22
Connector Throughput (c80)Connector Throughput (c80) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughtinKbytes/sec 12/16/16 23
Connector CPU UseConnector CPU Use 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concunreny 8 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 40 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https 12/16/16 24
Connector PerformanceConnector Performance ● Conclusion: – OpenSSL performs better that JSSE – NIO and NIO(2) give similar results – Emulated sendfile doesn't help a lot (bigger files better). – APR isn't needed – Until Java9 is released OpenSSL is needed for HTTP/2 12/16/16 25
Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 12/16/16 26
Jean-Frederic Clere @jfclere jfclere@gmail.com

More Related Content

PDF
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
byJean-Frederic Clere
 
PDF
Introduction to Apache Tomcat 7 Presentation
byTomcat Expert
 
PDF
Apache Httpd and TLS certificates validations
byJean-Frederic Clere
 
PPT
Tomcat Server
byAnirban Majumdar
 
PPT
Tomcat Clustering
bygouthamrv
 
PDF
Tomcat next
byJean-Frederic Clere
 
PDF
Tomcat next
byJean-Frederic Clere
 
PPT
Auxiliary : Tomcat
bywebhostingguy
 
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
byJean-Frederic Clere
 
Introduction to Apache Tomcat 7 Presentation
byTomcat Expert
 
Apache Httpd and TLS certificates validations
byJean-Frederic Clere
 
Tomcat Server
byAnirban Majumdar
 
Tomcat Clustering
bygouthamrv
 
Tomcat next
byJean-Frederic Clere
 
Tomcat next
byJean-Frederic Clere
 
Auxiliary : Tomcat
bywebhostingguy
 

What's hot

PDF
Tomcat from a cluster to the cloud on RP3
byJean-Frederic Clere
 
PDF
Asynchronous Io Programming
byl xf
 
PPTX
Scapy talk
byAshwin Patil, GCIH, GCIA, GCFE
 
PDF
TomcatCon: from a cluster to the cloud
byJean-Frederic Clere
 
ODP
Snaps on open suse
byZygmunt Krynicki
 
PDF
Skydive 31 janv. 2016
bySylvain Afchain
 
PDF
Large Scale Deployment of SSL/TLS For MySQL
byDaniël van Eeden
 
PDF
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
bypeychevi
 
PDF
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
byLoad Impact
 
PDF
QUIC
byApache Traffic Server
 
PDF
톰캣 #09-쓰레드
byGyuSeok Lee
 
PDF
HAProxy tech talk
byicebourg
 
PPTX
Dive into DevOps | March, Traefik as kubernetes ingress controller, Ihor Borodin
byProvectus
 
PPTX
Http/2
byAdrian Cardenas
 
PDF
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
byFastly
 
PDF
HAProxy 1.9
byHAProxy Technologies
 
PPT
Apache Tomcat 7 by Filip Hanik
byEdgar Espina
 
PDF
Rabbit mq簡介(上)
by共和 薛
 
Tomcat from a cluster to the cloud on RP3
byJean-Frederic Clere
 
Asynchronous Io Programming
byl xf
 
Scapy talk
byAshwin Patil, GCIH, GCIA, GCFE
 
TomcatCon: from a cluster to the cloud
byJean-Frederic Clere
 
Snaps on open suse
byZygmunt Krynicki
 
Skydive 31 janv. 2016
bySylvain Afchain
 
Large Scale Deployment of SSL/TLS For MySQL
byDaniël van Eeden
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
bypeychevi
 
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
byLoad Impact
 
QUIC
byApache Traffic Server
 
톰캣 #09-쓰레드
byGyuSeok Lee
 
HAProxy tech talk
byicebourg
 
Dive into DevOps | March, Traefik as kubernetes ingress controller, Ihor Borodin
byProvectus
 
Http/2
byAdrian Cardenas
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
byFastly
 
HAProxy 1.9
byHAProxy Technologies
 
Apache Tomcat 7 by Filip Hanik
byEdgar Espina
 
Rabbit mq簡介(上)
by共和 薛
 

Viewers also liked

PDF
Rame in architettura
byIstitutoRame
 
PPT
AGC_COMPANY PROFILE
byCj Perez
 
PDF
Raccordi per alte pressioni - Fitok serie 20
byGIGA TECH SRL - Distribuzione componenti per impianti di processo
 
PDF
Viernes santa rita
bydairimar
 
PDF
Diario Resumen 20140424
byDiario Resumen
 
PDF
¿Quieres lesionarte? Haz HIIT con ejercicios de fuerza y saltos
byFernando Farias
 
DOCX
TEMA DE INVESTIGACION: COLOR AMARILLO
bymiriam gutierrez
 
PDF
Having fun with Raspberry and Apache projects
byJean-Frederic Clere
 
PPT
Tomcat New Evolution
byAllan Huang
 
PPS
Arquitectura del computador ii(estructura general del computador).pps
byarquitectura5tsu
 
PPTX
VMware at SoftLayer
byJoao Marcelo Barros
 
PDF
White Paper: The Benefits of An Outsourced IT Infrastructure
byAsaca
 
PPT
Lapidas
byJuan Carlos Fernandez
 
PPTX
Social CRM - AVEA
byŞahin UZUN
 
PPT
Redes sociales
byDomingo_Rivero
 
PDF
UCLA en síntesis 425
byÁlvaro Muñoz
 
PDF
Digital Health & Wellness Summit @ Mobile World Congress 2016
by3GDR
 
PDF
Boletín de ocio de Noviembre 2016 a Enero 2017
byVoluntariado Valladolid
 
DOC
Peticion prima de servicios dpto
byMaría Suárez de Pino
 
PDF
Metro New York Stands Out!
byMetro Media
 
Rame in architettura
byIstitutoRame
 
AGC_COMPANY PROFILE
byCj Perez
 
Raccordi per alte pressioni - Fitok serie 20
byGIGA TECH SRL - Distribuzione componenti per impianti di processo
 
Viernes santa rita
bydairimar
 
Diario Resumen 20140424
byDiario Resumen
 
¿Quieres lesionarte? Haz HIIT con ejercicios de fuerza y saltos
byFernando Farias
 
TEMA DE INVESTIGACION: COLOR AMARILLO
bymiriam gutierrez
 
Having fun with Raspberry and Apache projects
byJean-Frederic Clere
 
Tomcat New Evolution
byAllan Huang
 
Arquitectura del computador ii(estructura general del computador).pps
byarquitectura5tsu
 
VMware at SoftLayer
byJoao Marcelo Barros
 
White Paper: The Benefits of An Outsourced IT Infrastructure
byAsaca
 
Lapidas
byJuan Carlos Fernandez
 
Social CRM - AVEA
byŞahin UZUN
 
Redes sociales
byDomingo_Rivero
 
UCLA en síntesis 425
byÁlvaro Muñoz
 
Digital Health & Wellness Summit @ Mobile World Congress 2016
by3GDR
 
Boletín de ocio de Noviembre 2016 a Enero 2017
byVoluntariado Valladolid
 
Peticion prima de servicios dpto
byMaría Suárez de Pino
 
Metro New York Stands Out!
byMetro Media
 

Similar to Tomcat openssl

PDF
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
byJean-Frederic Clere
 
PDF
Netty @Apple: Large Scale Deployment/Connectivity
byC4Media
 
PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PDF
SSL, X.509, HTTPS - How to configure your HTTPS server
byhannob
 
PDF
How (un)secure is SSL/TLS?
byMicrosoft
 
PDF
Secure Sockets Layer(SSL)Certificate
byCheapSSLUSA
 
PDF
Sử dụng TLS đúng cách - Phạm Tùng Dương
bySecurity Bootcamp
 
PDF
Dr. Omar Ali Alibrahim - Ssl talk
bypromediakw
 
PDF
Tomcat openssl
byJean-Frederic Clere
 
PDF
HTTP/2 and SSL/TLS state of art in ASF servers
byJean-Frederic Clere
 
PDF
netty_qcon_v4
byNorman Maurer
 
PPTX
Linux confau 2019: Web Security 2019
byJames Bromberger
 
PDF
libcurl, seven SSL libraries and one SSH library
byDaniel Stenberg
 
PDF
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
byGabriella Davis
 
PPSX
Bleeding secrets
byOfer Rivlin, CISSP
 
PDF
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
byit-people
 
PDF
Ssl Accelerator Test Bench
byRijksoverheid
 
PDF
Amazon CloudFront Seminar Accelerated TLS/SSL Adoption
byHayato Kiriyama
 
PPTX
All you need to know about transport layer security
byMaarten Smeets
 
PPTX
Secure socket layer
byBU
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
byJean-Frederic Clere
 
Netty @Apple: Large Scale Deployment/Connectivity
byC4Media
 
wolfSSL and TLS 1.3
bywolfSSL
 
SSL, X.509, HTTPS - How to configure your HTTPS server
byhannob
 
How (un)secure is SSL/TLS?
byMicrosoft
 
Secure Sockets Layer(SSL)Certificate
byCheapSSLUSA
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
bySecurity Bootcamp
 
Dr. Omar Ali Alibrahim - Ssl talk
bypromediakw
 
Tomcat openssl
byJean-Frederic Clere
 
HTTP/2 and SSL/TLS state of art in ASF servers
byJean-Frederic Clere
 
netty_qcon_v4
byNorman Maurer
 
Linux confau 2019: Web Security 2019
byJames Bromberger
 
libcurl, seven SSL libraries and one SSH library
byDaniel Stenberg
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
byGabriella Davis
 
Bleeding secrets
byOfer Rivlin, CISSP
 
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
byit-people
 
Ssl Accelerator Test Bench
byRijksoverheid
 
Amazon CloudFront Seminar Accelerated TLS/SSL Adoption
byHayato Kiriyama
 
All you need to know about transport layer security
byMaarten Smeets
 
Secure socket layer
byBU
 

More from Jean-Frederic Clere

PDF
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
PDF
FFM / Panama: A case study with OpenSSL and Tomcat
byJean-Frederic Clere
 
PDF
Panama.pdf
byJean-Frederic Clere
 
PDF
03_clere_Proxing to tomcat with httpd.pdf
byJean-Frederic Clere
 
PDF
Apache httpd and TLS/SSL certificates validation
byJean-Frederic Clere
 
PDF
HTTP/3 where are we now? State of the art in our servers.
byJean-Frederic Clere
 
PDF
Juggva cloud
byJean-Frederic Clere
 
PDF
From a cluster to the Cloud
byJean-Frederic Clere
 
PDF
Having fun with Raspberry(s) and Apache projects
byJean-Frederic Clere
 
PDF
Cloud RPI4 tomcat ARM64
byJean-Frederic Clere
 
PDF
Having fun with a solar panel, camera and Apache projects.pdf
byJean-Frederic Clere
 
PDF
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
byJean-Frederic Clere
 
PDF
Native 1.2.8
byJean-Frederic Clere
 
Apache httpd reverse proxy and Tomcat
byJean-Frederic Clere
 
FFM / Panama: A case study with OpenSSL and Tomcat
byJean-Frederic Clere
 
Panama.pdf
byJean-Frederic Clere
 
03_clere_Proxing to tomcat with httpd.pdf
byJean-Frederic Clere
 
Apache httpd and TLS/SSL certificates validation
byJean-Frederic Clere
 
HTTP/3 where are we now? State of the art in our servers.
byJean-Frederic Clere
 
Juggva cloud
byJean-Frederic Clere
 
From a cluster to the Cloud
byJean-Frederic Clere
 
Having fun with Raspberry(s) and Apache projects
byJean-Frederic Clere
 
Cloud RPI4 tomcat ARM64
byJean-Frederic Clere
 
Having fun with a solar panel, camera and Apache projects.pdf
byJean-Frederic Clere
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
byJean-Frederic Clere
 
Native 1.2.8
byJean-Frederic Clere
 

Recently uploaded

PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Computer Science Degree for College .pptx
byHanenek1
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 

Tomcat openssl

  • 1.
    Using OpenSSL toboostUsing OpenSSL to boost TomcatTomcat Jean-Frederic ClereJean-Frederic Clere
  • 2.
    What I willcoverWhat I will cover ● Who I am. ● Connectors – NIO, NIO2, APR – OpenSSLImplementation – HTTP/2 and ALPN in Tomcat. ● Performance tests – With ab and h2load as client load generator. ● Questions? 12/16/16 2
  • 3.
    Who I amWhoI am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 12/16/16 3
  • 4.
  • 5.
    What is aConnector?What is a Connector? ● Tomcat's interface to the world ● Binds to a port ● Understands a protocol and possible upgrades. ● Dispatches requests (example) – protocol="org.apache.coyote.http11.Http11AprProtocol" – protocol="org.apache.coyote.http11.Http11NioProtocol" – protocol="org.apache.coyote.http11.Http11Nio2Protocol" 12/16/16 5
  • 6.
    Tomcat ConnectorsTomcat Connectors ●Java Non-blocking I/O (NIO) ● Native / Apache Portable Runtime (APR) ● Java NIO.2 Technically, there are combinations of all of the above with HTTP and AJP protocols. The presentation focuses on HTTP and on NIO/NIO2. 12/16/16 6
  • 7.
    What is newin Tomcat 9 / 8.5What is new in Tomcat 9 / 8.5 ● Property sslImplementationName – Allows replacement of the SSL code ● OpenSSLImplementation (use OpenSSL) ● JSSEImplementation (use JSSE) ● UpgradeProtocol – Allows protocol upgrade from HTTP/1.1 ● HTTP/2 (yes) ● Websocket (cool) / Speedy (no plan to support it). 12/16/16 7
  • 8.
    Why a newSSLImplementationWhy a new SSLImplementation ● JSSE: – Very slow – Missing features: like ALPN (JEP 244: TLS Application-Layer Protocol Negotiation) – Hardware acceleration very partial (like AES in java8) ● Native connector: – Fast but a lot of native code – Use OpenSSL for SSL/TLS. ● New OpenSSL implementation: – Fast. – Uses only a OpenSSL for native code (no native socket, poller etc). – Works with NIO and NIO2. – Uses OpenSSL for SSL/TLS. (warp, unwarp, handshake etc). 12/16/16 8
  • 9.
    OpenSSLImplementationOpenSSLImplementation ● Code originatesfrom netty-tcnative a forked Tomcat Native ● Prototype (last year): – Done with the BeFriNe University – Tested and ported to tc_trunk last summer ● SSL Configuration compatible with the JSSE connection (*) ● Uses keystores (*) ● Uses SSL BIO to wrap/unwarp, handshake ● Uses java NIO or NIO2 Sockets for the reads and writes ● Automatically enabled when TC native is installed/enabled (*) 12/16/16 9
  • 10.
    How TLS isdone in TomcatHow TLS is done in Tomcat 12/16/16 10 Tomcat JSSE Con. Javastdlib JSSE SSL Engine NIO/NIO2 Tomcat Native APR JNIs Webserver APR Internals APR Connector OpenSSL OS Sockets JavaC/Native Webserver OpenSSL Impl.
  • 11.
    How does thatworksHow does that works SSLContext JSSESSLContext OpenSSLContext SSLEngine SSLContext OpenSSLEngine createSSLEngine() createSSLEngine() wrap() unwrap() getSession() etc... Overrides 12/16/16 11
  • 12.
    How does wrapworksHow does wrap works wrap(plaintext, encrypted) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writePlainTextData write_ToSSL SSL_write readEncryptedData readFromBIO BIO_read 12/16/16 12
  • 13.
    How does unwrapworksHow does unwrap works unwrap(encrypted, plaintext) internalBIO networkBIO BIO_new_bio_pair SSL_set_bio writeEncryptedData writeToBIO BIO_write readPlaintextData readFromSSL SSL_read 12/16/16 13
  • 14.
    Connector PerformanceConnector Performance ●Compare connectors throughput against each other ● Only static content was compared, varying file sizes ● Run on “fast” machines, 10 Gbps local network ● Tests: – Compare the connectors (trunk) NIO, NIO2 and APR – Using JSSE and OpenSSL – First without “sendfile” 12/16/16 14
  • 15.
    Connector Throughput (c8)ConnectorThroughput (c8) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 Concurency 8 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 15
  • 16.
    Connector Throughput (c40)ConnectorThroughput (c40) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 Concurency 40 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 16
  • 17.
    Connector Throughput (c80)ConnectorThroughput (c80) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputKbytes/sec 12/16/16 17
  • 18.
    Connector CPU UseConnectorCPU Use 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 8 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 concurency 40 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size CPUusage 12/16/16 18
  • 19.
    Connector TC8.5Connector TC8.5 12/16/1619 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 320 tomcat 8.5 coyote_apr_https coyote_nio_jssehttps coyote_nio_opensslhttps File Size Kbytes/second 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 20 40 60 80 100 120 Concurency 320 tomcat8.5 coyote_apr_https coyote_nio_jssehttps coyote_nio_opensslhttps File Size CPUusage
  • 20.
    Connector PerformanceConnector Performance ●With sendfile – In fact with TLS/SSL sendfile is emulated 12/16/16 20
  • 21.
    Connector Throughput (c8)ConnectorThroughput (c8) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 8 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputinKbytes/sec 12/16/16 21
  • 22.
    Connector Throughput (c40)ConnectorThroughput (c40) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 40 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughputinKbytes/sec 12/16/16 22
  • 23.
    Connector Throughput (c80)ConnectorThroughput (c80) 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 2MiB.bin 4MiB.bin 8MiB.bin 16MiB.bin 32MiB.bin 0 100000 200000 300000 400000 500000 600000 700000 800000 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https File Size ThroughtinKbytes/sec 12/16/16 23
  • 24.
    Connector CPU UseConnectorCPU Use 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concunreny 8 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 40 4KiB 16KiB 64KiB 128KiB 512KiB 2MiB 8MiB 32MiB 40 50 60 70 80 90 100 Concurency 80 coyote_apr_https coyote_nio2_openssl_https coyote_nio_jsse_https coyote_nio_openssl_https 12/16/16 24
  • 25.
    Connector PerformanceConnector Performance ●Conclusion: – OpenSSL performs better that JSSE – NIO and NIO(2) give similar results – Emulated sendfile doesn't help a lot (bigger files better). – APR isn't needed – Until Java9 is released OpenSSL is needed for HTTP/2 12/16/16 25
  • 26.
    Questions?Questions? Thank you!Thank you! ●jfclere@gmail.com ● users@tomcat.apache.org ● Repo with the scripts for the tests: – https://github.com/jfclere/AC2014scripts 12/16/16 26
  • 27.