Sunday, May 7, 2017

MySQL and SSL/TLS Performance

In conversations about SSL/TLS people often say that they either don't need TLS because they trust their network or they say it is too slow to be used in production.

With TLS the client and server has to do additional work, so some overhead is expected. But the price of this overhead also gives you something in return: more secure communication and more authentication options (client certificates).

SSL and TLS have existed for quite a long time. First they were only used for online banking and during authentication on web sites. But slowly many websites went to full-on SSL/TLS. And with the introduction of Let's encrypt many small websites are now using SSL/TLS. And many non-HTTP protocols either add encryption or move to a HTTP based protocol.

So TLS performance is very important for day-to-day usage. Many people and companies have put a lot of effort into improving TLS performance. This includes browser vendors, hardware vendors and much more.

But instead of just hoping for good performance: Let's try to measure it with a simple benchmark.

There are multiple pieces of a database connection we have to benchmark:
  1. New connections
  2. Reconnecting
  3. Bulk transfer
 And for all of these there are multiple things we can measure:
  1. Connect and/or transfer time (performance)
  2. CPU usage (efficiency)
  3. Concurrency 
The benchmark code can be found here: https://github.com/dveeden/mysql_go_tls

Let's look at connection performance. In this test I connect a number of times to MySQL  and do a "DO 1". This is on a localhost TCP connection, so it should be fast.


This is the connection time in ms for a single connection.
With 5.6.33 Community Edition, which is YaSSL based we see a very noticable overhead. And with 5.7.17 Community Edition this overhead is much smaller, but still very noticable.

Then MySQL 5.7 with OpenSSL (compiled on Fedora 25) shows another very noticable improvement over YaSSL. This can be explained because in this case the AVX2 and AES-NI CPU features can be used.

Also OpenSSL supports TLS tickets and YaSSL doesn't. This is why the yellow bar is much shorter that the orange bar. This is not yet supported in libmysqlclient, see Bug #76921 for details.

So SSL/TLS can be slow, but doesn't have to be slow.

Note that TLS needs multiple roundtrips. When testing this with netem on Linux I see this with MySQL 5.7.18 (YaSSL) and a 5ms delay:
No TLS goes from 0.5ms to 52ms
TLS goes from 8ms to 85ms

The second thing to measure is bulk performance. This is for large result sets including mysqldump.

With mysqldump from MySQL 5.7 it is easy to do:

$ time mysqldump --ssl-mode=disabled -A > /dev/null

real 0m0.145s
user 0m0.021s
sys 0m0.005s
$ time mysqldump --ssl-mode=required --ssl-cipher=AES128-SHA -A > /dev/null

real 0m0.120s
user 0m0.039s
sys 0m0.007s 
 
If you do this with multiple ciphers and put some data in the database you'll see something like this:
No TLS
4.5s
TLS Default
10.4s
RC4-MD5
7.1s
DES-CBC3-SHA
23.2s
 This is with MySQL 5.6.33 with YaSSL. Note that this is without using modern CPU features etc.

To conclude, there are some steps you can take to improve SSL/TLS performance:
  1. Upgrade to 5.7
  2. Compile MySQL with OpenSSL
  3. Use TLS tickets
  4. Use persistent connections
  5. Try different cipher suits for mysqldump and other places where you transfer larger amounts of data.

22 comments:

  1. SSL/TLS performance optimization for a website is a crucial step and it is the key to a website's success. Thank you very much for sharing this informative blog post and the conclusion i.e. the steps for improving SSL/TLS performance is a great help to us.

    Ranjit Shankar
    Nous Infosystems
    https://www.nousinfosystems.com

    ReplyDelete
    Replies
    1. Great Article Image Processing Projects Deep Learning Projects for Final Year JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training Project Centers in Chennai

      Delete
  2. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. RapidSSL certificate

    ReplyDelete
  3. You completed a few fine points there. I did a search on the subject and found nearly all persons will go along with with your blog. clenbuterol France

    ReplyDelete
  4. Hi. Cool post. There’s an issue with your site in chrome, and you may want to test this… The browser is the marketplace chief and a good element of people will omit your excellent writing because of this problem. webflow designer

    ReplyDelete
  5. I conceive this website has very wonderful indited content material posts . webflow agency

    ReplyDelete
  6. Some truly wonderful articles on this website , appreciate it for contribution. ui/ux designer

    ReplyDelete
  7. You created some excellent tips at this time there. I did searching around the topic and discovered most everyone will recognize in your web site. web development firms

    ReplyDelete
  8. What I wouldnt get for possess a controversy along with you relating to this. You just let them know a lot of things that come from nowhere fast in which Internet marketing fairly certain Identity use a fair picture. Your weblog is extremely good creatively, After all people will not be bored stiff. But other people who is able to see past the video clips and also the design will not be thus pleased using your generic knowledge of this specific matter. top web design agencies

    ReplyDelete
  9. The video card (sometimes referred to as the GPU) is another vital component in any gaming rig, as it handles nearly all of the graphics for your video game titles. A person of the issues with video cards – in particular the center and minimal end ones – is that they tend to come to be obsolete faster than the other components of a gaming pc. Commonly, acquiring a higher conclusion video card when you are upgrading or building your gaming rig is vital as it presents you breathing area in advance of it is time to upgrade once more. top web design companies

    ReplyDelete
  10. A cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks Check this out

    ReplyDelete

  11. Thank you so much for sharing this article. I really love it. This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    website: Satta Matka Result

    ReplyDelete
  12. Nice to be visiting your blog. satta matka, kalyan matka number, matka result, kalyan main matka tips
    For More Details - Sattamatka

    ReplyDelete
  13. SSL/TLS performance optimization for a website is a crucial step and it is the key to a website's success. Thank you very much for sharing this reflection writing blog post and the conclusion

    ReplyDelete
  14. A cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks, writing websites etc.

    ReplyDelete
  15. What is SSL? Cheapest SSL Certificates Provider are generally used with ecommerce shopping carts, or anywhere you want to collect information from a user securely on your website. If you use a secure server certificate with a form; and that form emails the results to you; keep in mind that the email is not secure.

    ReplyDelete
  16. This program is free to download and you don't have to pay anything. You can use this program immediately after installing it. OLA TV Apk supports platforms like Android, FireStick and Windows PC. Cyberflix, TVZion and Cinema APK are some of the available apps for movies and TV series.

    ReplyDelete

  17. The article posted was very informative and useful. I really appreciate this wonderful post that you have provided for us. Thanks for this amazing post.
    Traditional Instagram captions

    ReplyDelete
  18. One of the rules of Google that affects the SEO and ranking of the site is having an electronic certificate

    ReplyDelete
  19. moviesflix will be the best website for bollywood, hollywood, hindi dubbed movies and web series. i recommend that.

    ReplyDelete
  20. Such a wonderful and cool post. Thanks for sharing this one! advanceappliance.ca/dryer-repair/

    ReplyDelete

Note: Only a member of this blog may post a comment.