Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CipherSuites should prioritise faster suites on Java11 #956

Open
iamdanfox opened this issue Feb 26, 2019 · 2 comments
Open

CipherSuites should prioritise faster suites on Java11 #956

iamdanfox opened this issue Feb 26, 2019 · 2 comments

Comments

@iamdanfox
Copy link
Contributor

Current world

Currently, CipherSuites.java contains an ordered list of 'fastCipherSuites'. This has been hand tuned for Java8, but doesn't take advantage of the fast new CPU instructions on newer JVMs.

This means that as we move to Java11, we're leaving performance on the table (an internal benchmark shows TLS_RSA_WITH_AES_128_GCM_SHA256 coming out on top, but this is right at the bottom of our list!)

Proposal

Ensure CipherSuites returns suites fastest first, automatically detecting Java8 or Java11.

(Example output from an internal benchmark)

Benchmark JDK (cipher) Score Error Units
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_128_GCM_SHA256 352.28 3.21 MiB/s
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_256_GCM_SHA384 345.29 2.44 MiB/s
sendOneMegabyte 11.0.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 260.97 5.7 MiB/s
sendOneMegabyte 11.0.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 230.26 1.39 MiB/s
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_128_CBC_SHA256 228.43 3.15 MiB/s
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_256_CBC_SHA256 220.38 2.18 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_128_CBC_SHA 187.2 1.36 MiB/s
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_128_CBC_SHA 182.45 3.42 MiB/s
sendOneMegabyte 11.0.1 TLS_RSA_WITH_AES_256_CBC_SHA 180.7 1.89 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_256_CBC_SHA 176.09 2.19 MiB/s
sendOneMegabyte 1.8.0_192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 164.35 5.11 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_128_CBC_SHA256 131.06 2.47 MiB/s
sendOneMegabyte 1.8.0_192 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 130.47 2.93 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_256_CBC_SHA256 127.47 0.97 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_128_GCM_SHA256 59.77 1.23 MiB/s
sendOneMegabyte 1.8.0_192 TLS_RSA_WITH_AES_256_GCM_SHA384 58.83 0.87 MiB/s

cc @dansanduleac
@carterkozak
Copy link
Contributor

TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 both result in 900-1000 MiB/s using Conscrypt, which is also available for java 8. We currently don't provide any mechanism to opt into Conscrypt for clients, only servers.

@stale
Copy link

stale bot commented Sep 23, 2019

This issue has been automatically marked as stale because it has not been touched in the last 60 days. Please comment if you'd like to keep it open, otherwise it'll be closed in 7 days time.

@stale stale bot added the stale label Sep 23, 2019
@iamdanfox iamdanfox removed the stale label Sep 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iamdanfox @carterkozak