Grove RSA TLS performance.

[John Rushford <jj...@gmail.com>]

Greetings,

I've been running performance tests with the grove caching server using
several different
profiles.  One profile was strictly with http transactions and other
profiles were
with a mix of https using RSA public/private keys and EC (elliptic curve)
public/private
keys.  When using https with EC certificates, grove performed very well.
However when
RSA public/private keys are employed, there is a significant impact to
performance.

I have found that grove performs poorly when RSA keys are employed and
grove is compiled
using go 1.9.4.  At 3k requests per second, the cpu's go to 100%
utilization and 50% or
more of the transactions time out.  With the release of go version 1.11,
this performance
issue with RSA crypto has been addressed with a patch to the
'math/big.addMulVVW()' function
used in the RSA crypto routines.  After re-compiling grove with go version
1.11, performance
improved quite significantly when using RSA certs. I've attached some of
the performance data collected to the issue #2780
<https://github.com/apache/trafficcontrol/issues/2780>

If you are using grove, I suggest that you use EC keys public/private TLS
keys.  If you use
RSA keys though, you should make sure that you compile grove with go
version 1.11 or higher.
I've submitted this issue, #2780
<https://github.com/apache/trafficcontrol/issues/2780>, and a PR, #2781
<https://github.com/apache/trafficcontrol/pull/2781>, that modifies the
grove build scripts to check for and use go version 1.11.  The docker build
scripts have been modified to install and use go version 1.11 to build
grove.

thanks
John Rushford
jrushford@apache.org

-- 
John Rushford
jjrushford@gmail.com

Re: Grove RSA TLS performance.

[Dan Kirkwood <da...@gmail.com>]

Jan,   yep -- that's what John did with
https://github.com/apache/trafficcontrol/pull/2781

It's for grove only at this point,  but we're considering upgrading
everything else to 1.11.x as well...

-dan

On Wed, Sep 5, 2018 at 8:09 AM Jan van Doorn <jv...@knutsel.com> wrote:

> It looked to me like the RSA problems almost went away with go 1.11? I’d
> say just use that.
>
> Also, you can’t mix and match? Meaning you can’t have RSA on TR and EC on
> the cache?
>
> Cheers,
> JvD
>
> > On Sep 5, 2018, at 07:43, Dave Neuman <ne...@apache.org> wrote:
> >
> > Thanks for the information John.
> > I think it worth noting that, as far as I know, Traffic Router does not
> > support EC keys so if you plan to use grove with EC, it will have to be
> > without Traffic Router.  Support for elliptic curve certificates in
> Traffic
> > Router has been captured in this github issue:
> > https://github.com/apache/trafficcontrol/issues/2774.
> >
> > Thanks,
> > Dave
> >
> > On Tue, Sep 4, 2018 at 10:47 AM John Rushford <jj...@gmail.com>
> wrote:
> >
> >> Greetings,
> >>
> >> I've been running performance tests with the grove caching server using
> >> several different
> >> profiles.  One profile was strictly with http transactions and other
> >> profiles were
> >> with a mix of https using RSA public/private keys and EC (elliptic
> curve)
> >> public/private
> >> keys.  When using https with EC certificates, grove performed very well.
> >> However when
> >> RSA public/private keys are employed, there is a significant impact to
> >> performance.
> >>
> >> I have found that grove performs poorly when RSA keys are employed and
> >> grove is compiled
> >> using go 1.9.4.  At 3k requests per second, the cpu's go to 100%
> >> utilization and 50% or
> >> more of the transactions time out.  With the release of go version 1.11,
> >> this performance
> >> issue with RSA crypto has been addressed with a patch to the
> >> 'math/big.addMulVVW()' function
> >> used in the RSA crypto routines.  After re-compiling grove with go
> version
> >> 1.11, performance
> >> improved quite significantly when using RSA certs. I've attached some of
> >> the performance data collected to the issue #2780
> >> <https://github.com/apache/trafficcontrol/issues/2780>
> >>
> >> If you are using grove, I suggest that you use EC keys public/private
> TLS
> >> keys.  If you use
> >> RSA keys though, you should make sure that you compile grove with go
> >> version 1.11 or higher.
> >> I've submitted this issue, #2780
> >> <https://github.com/apache/trafficcontrol/issues/2780>, and a PR, #2781
> >> <https://github.com/apache/trafficcontrol/pull/2781>, that modifies the
> >> grove build scripts to check for and use go version 1.11.  The docker
> build
> >> scripts have been modified to install and use go version 1.11 to build
> >> grove.
> >>
> >> thanks
> >> John Rushford
> >> jrushford@apache.org
> >>
> >> --
> >> John Rushford
> >> jjrushford@gmail.com
> >>
>
>

Re: Grove RSA TLS performance.

[Jan van Doorn <jv...@knutsel.com>]

It looked to me like the RSA problems almost went away with go 1.11? I’d say just use that.

Also, you can’t mix and match? Meaning you can’t have RSA on TR and EC on the cache? 

Cheers,
JvD

> On Sep 5, 2018, at 07:43, Dave Neuman <ne...@apache.org> wrote:
> 
> Thanks for the information John.
> I think it worth noting that, as far as I know, Traffic Router does not
> support EC keys so if you plan to use grove with EC, it will have to be
> without Traffic Router.  Support for elliptic curve certificates in Traffic
> Router has been captured in this github issue:
> https://github.com/apache/trafficcontrol/issues/2774.
> 
> Thanks,
> Dave
> 
> On Tue, Sep 4, 2018 at 10:47 AM John Rushford <jj...@gmail.com> wrote:
> 
>> Greetings,
>> 
>> I've been running performance tests with the grove caching server using
>> several different
>> profiles.  One profile was strictly with http transactions and other
>> profiles were
>> with a mix of https using RSA public/private keys and EC (elliptic curve)
>> public/private
>> keys.  When using https with EC certificates, grove performed very well.
>> However when
>> RSA public/private keys are employed, there is a significant impact to
>> performance.
>> 
>> I have found that grove performs poorly when RSA keys are employed and
>> grove is compiled
>> using go 1.9.4.  At 3k requests per second, the cpu's go to 100%
>> utilization and 50% or
>> more of the transactions time out.  With the release of go version 1.11,
>> this performance
>> issue with RSA crypto has been addressed with a patch to the
>> 'math/big.addMulVVW()' function
>> used in the RSA crypto routines.  After re-compiling grove with go version
>> 1.11, performance
>> improved quite significantly when using RSA certs. I've attached some of
>> the performance data collected to the issue #2780
>> <https://github.com/apache/trafficcontrol/issues/2780>
>> 
>> If you are using grove, I suggest that you use EC keys public/private TLS
>> keys.  If you use
>> RSA keys though, you should make sure that you compile grove with go
>> version 1.11 or higher.
>> I've submitted this issue, #2780
>> <https://github.com/apache/trafficcontrol/issues/2780>, and a PR, #2781
>> <https://github.com/apache/trafficcontrol/pull/2781>, that modifies the
>> grove build scripts to check for and use go version 1.11.  The docker build
>> scripts have been modified to install and use go version 1.11 to build
>> grove.
>> 
>> thanks
>> John Rushford
>> jrushford@apache.org
>> 
>> --
>> John Rushford
>> jjrushford@gmail.com
>> 

Re: Grove RSA TLS performance.

[Dave Neuman <ne...@apache.org>]

Thanks for the information John.
I think it worth noting that, as far as I know, Traffic Router does not
support EC keys so if you plan to use grove with EC, it will have to be
without Traffic Router.  Support for elliptic curve certificates in Traffic
Router has been captured in this github issue:
https://github.com/apache/trafficcontrol/issues/2774.

Thanks,
Dave

On Tue, Sep 4, 2018 at 10:47 AM John Rushford <jj...@gmail.com> wrote:

> Greetings,
>
> I've been running performance tests with the grove caching server using
> several different
> profiles.  One profile was strictly with http transactions and other
> profiles were
> with a mix of https using RSA public/private keys and EC (elliptic curve)
> public/private
> keys.  When using https with EC certificates, grove performed very well.
> However when
> RSA public/private keys are employed, there is a significant impact to
> performance.
>
> I have found that grove performs poorly when RSA keys are employed and
> grove is compiled
> using go 1.9.4.  At 3k requests per second, the cpu's go to 100%
> utilization and 50% or
> more of the transactions time out.  With the release of go version 1.11,
> this performance
> issue with RSA crypto has been addressed with a patch to the
> 'math/big.addMulVVW()' function
> used in the RSA crypto routines.  After re-compiling grove with go version
> 1.11, performance
> improved quite significantly when using RSA certs. I've attached some of
> the performance data collected to the issue #2780
> <https://github.com/apache/trafficcontrol/issues/2780>
>
> If you are using grove, I suggest that you use EC keys public/private TLS
> keys.  If you use
> RSA keys though, you should make sure that you compile grove with go
> version 1.11 or higher.
> I've submitted this issue, #2780
> <https://github.com/apache/trafficcontrol/issues/2780>, and a PR, #2781
> <https://github.com/apache/trafficcontrol/pull/2781>, that modifies the
> grove build scripts to check for and use go version 1.11.  The docker build
> scripts have been modified to install and use go version 1.11 to build
> grove.
>
> thanks
> John Rushford
> jrushford@apache.org
>
> --
> John Rushford
> jjrushford@gmail.com
>