Uploaded image for project: 'WildFly WIP'
  1. WildFly WIP
  2. WFWIP-160

Fix throughput and response time differences between TLS 1.2 and TLS 1.3

    Details

      Description

      Performance with TLS 1.3 on WildFly appears to be worse than with TLS 1.2. In particular, throughput is much lower (roughly three times lower) and response time is much higher (roughly three times higher), which is not supposed to be the case. The underlying issue seems to be in Undertow or XNIO, that is the code that actually gets invoked during the TLS handshake process. Looking at CPU time, there is significantly more time being spent in io.undertow.protocols.ssl.SslConduit$5.run() with TLS 1.3 than with TLS 1.2.

      Steps to reproduce (taken from EAP7-1022):

      1. Build WildFly using the following feature branches or download a QE build of WildFly here:

      https://github.com/fjuma/wildfly-elytron/tree/ELY-1706
      https://github.com/fjuma/wildfly-core/tree/WFCORE-4172 (Update the Elytron version in the pom.xml file to use the version built in the previous step)
      https://github.com/fjuma/wildfly/tree/WFCORE-4172 (Update the Core version in the pom.xml file to use the version built in the previous step)

      2. Download and unzip JMeter from https://jmeter.apache.org/download_jmeter.cgi
      3. Download attached test plan TLSv1.3.jmx
      4. Configure and start server with TLSv1.3 and JDK 11:

      connect
      /subsystem=elytron/key-store=tls13:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
      /subsystem=elytron/key-store=tls13:generate-key-pair(alias=localhost,algorithm=RSA,key-size=1024,validity=365,credential-reference={clear-text=secret},distinguished-name="CN=localhost")
      /subsystem=elytron/key-store=tls13:store()
      /subsystem=elytron/key-manager=tls13:add(key-store=tls13,credential-reference={clear-text=secret})
      /subsystem=elytron/server-ssl-context=tls13:add(key-manager=tls13,protocols=["TLSv1.3"])
      
      batch
      /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=tls13)
      run-batch
      
      reload
      

      5. Start jmeter with JDK 11 and downloaded test plan

      export JAVA_HOME=/path/to/java/openjdk-11.0.2; bin/jmeter -n -t TLSv1.3.jmx -e -l tlsv13.log -o results-tlsv13
      

      6. Set server to use TLSv1.2

      /subsystem=elytron/server-ssl-context=tls13:write-attribute(name=protocols,value=["TLSv1.2"])
      reload
      

      7. Repeat same for TLSv1.2

      export JAVA_HOME=/path/to/java/openjdk-11.0.2; bin/jmeter -n -t TLSv1.3.jmx -e -l tlsv12.log -o results-tlsv12
      

      8. Compare results (there will be an index.html file in the results-tlsv12 and results-tlsv13 directories)

        Gliffy Diagrams

          Attachments

          1. jstourac-report.zip
            14.11 MB
          2. results-tlsv12.zip
            1.01 MB
          3. results-tlsv13.zip
            1.01 MB

            Issue Links

              Activity

                People

                • Assignee:
                  ropalka Richard Opalka
                  Reporter:
                  fjuma Farah Juma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated: