0

Our application is for load testing arbitrary HTTP(s) servers. We use java with Netty to make lots of concurrent requests. When using the Netty java SSL client and SSLEngine, we are now seeing CPU at 100% for relatively low levels of concurrency. I suspect that the client and server are negotiating the most secure choice available, and I want to do what is likely the opposite (choose the option that will cause the smallest CPU load on our system). We must use SSL, but there is no concern about security. How do we go about configuring the SSLEngine to use a better algorithm?

I realize that the server (which is out of our control) limits the choices. But, we need to use a less CPU intensive option if available. We are running this on Amazon's EC2 with c3.large instances.

Roger Campbell
  • 84
  • 6

1 Answers1

0

There isn’t necessarily a direct relationship between the security of a particular SSL/TLS cipher suite and its performance. Cipher suites that use elliptic curve cryptography and AES encryption will likely be the fastest. Elliptic curve suites are faster than RSA, and AES has wide hardware CPU acceleration support, AES-128 should be faster than AES-256.

As far as how to choose the cipher suite, take a look at How to specify the ciphersuite to be used in SSL session

Although be wary this is probably going to cause more problems than its worth for minimal performance gain.

Magnus
  • 7,952
  • 2
  • 26
  • 52
  • 1
    Note: On current iPhones I see no difference between AES 128 and 256 bit keys, note that there is hardware encryption support. – zaph Dec 23 '15 at 02:43