New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
performance of openssl 1.1.1p vs. 3.1.0 #21005
Comments
Yes, the performance loss is known. OpenSSL 3.x requires a slightly different approach and pre-fetching algorithms avoids the majority of the losses. |
Thank you very much for your reply.
We would like to use openssl v.3 library in same way as we used V1.1.
Our program is a TLS server and it works in most basic way (SSL_CTX_new, SSL_CTX_use_PrivateKey_file, SSL_new, SSL_accept, SSL_read).
I would like to learn how we should modify this program to achieve best performance in v.3 .
Can you please recommend a tutorial how we do it?
(I read about explicit fetching, but we do not call functions like EVP_DigestInit() directly . It happens inside SSL…
Therefore, I doubt how we can fetch algorithms in advance… )
Thank you,
Vitaly
From: Pauli ***@***.***>
Sent: Sunday, May 21, 2023 3:27 PM
To: openssl/openssl ***@***.***>
Cc: Vitaly Kroivets ***@***.***>; Author ***@***.***>
Subject: Re: [openssl/openssl] performance of openssl 1.1.1p vs. 3.1.0 (Issue #21005)
CAUTION: EXTERNAL EMAIL.
Yes, the performance loss is known. OpenSSL 3.x requires a slightly different approach and pre-fetching algorithms avoids the majority of the losses.
—
Reply to this email directly, view it on GitHub<#21005 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6ECPGJCSYJRWUYFOAKVXPTXHICYTANCNFSM6AAAAAAYIJBIOY>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
If you are working mostly with libssl then the SSL_CTX will cache explicit fetches for you. Therefore it is important to re-use an SSL_CTX across multiple connections, i.e. do not create a new SSL_CTX for each SSL object. |
Another point might help. |
@mattcaswell it seems the tls1_mac still uses the old method of computing hmac through EVP_DigestSign? Could refactoring to use EVP_MAC help? |
Quite possibly. Not sure how easy it will be though |
Do you have some statistics on the tls1_mac performance drop? And any details about how you did your testing would be helpful. |
Hmmm. I don't understand the increase spent in SHA256_Update from 16.39 to 20.62. Most of the performance difference seems to be there. |
I would like to ask about OPENSSL_LH_doall_arg / do_name functions. below is a trace of these fnunctions:
|
I compared performance of openssl versions 1.1.1p and 3.1.0 using nginx 1.23.4 as a server and siege 4.1.6 as a client.
I tried three ciphers and in each of these benchmarks, 1.1.1 has better performance.
Is it a well known issue or the tests are not correct?
Thank you!
siege command is :
p.s. All tools have been built with default config options; nginx webserver returns its default page.
The text was updated successfully, but these errors were encountered: