You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jeremy Boyd <jb...@docmagic.com> on 2004/02/04 22:41:57 UTC
Apache/Tomcat/SSL vs. Tomcat/SSL
Hi all-
I searched through the archives to see if this question has already been =
asked and answered. I did not find anything, but forgive me if I missed =
the answer.
I am wondering what the general consensus is regarding SSL performance =
in both Apache and Tomcat. I am interested in deploying Tomcat and my =
application requires SSL. I am debating whether I should access Tomcat =
through the AJP connector using Apache, thus allowing Apache to handle =
all of the SSL traffic or whether it is better to deploy Tomcat in =
standalone mode and allow Tomcat to fulfill requests and handle the SSL =
traffic.
My thought is that since Apache is written in C it may be more efficient =
to have Apache handle the SSL. However, I am not sure if the overhead =
of the connector would negate any performance benefits gained from =
having Apache handle the SSL rather than Tomcat. If performance is the =
same or only marginally better with Apache then I am not sure if the =
added complexity of having Apache in the equation is warranted. I have =
not benchmarked to see if there is actually a performance difference. =
Does anyone have an opinion on this or any benchmarks they could share?
Thanks,
Jeremy
_______________________________
Information Systems Manager
Document Systems, Inc.
20501 South Avalon Blvd
Carson, CA 90746
Phone: 800-649-1362 ext 241
FAX: 800-564-1362
e-mail: jboyd@docmagic.com
web: www.docmagic.com=20
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Apache/Tomcat/SSL vs. Tomcat/SSL
Posted by David Wall <d....@computer.org>.
> My thought is that since Apache is written in C it may be more efficient =
> to have Apache handle the SSL. However, I am not sure if the overhead =
> of the connector would negate any performance benefits gained from =
> having Apache handle the SSL rather than Tomcat. If performance is the =
> same or only marginally better with Apache then I am not sure if the =
> added complexity of having Apache in the equation is warranted. I have =
> not benchmarked to see if there is actually a performance difference. =
> Does anyone have an opinion on this or any benchmarks they could share?
Great question. I've got the same consideration, but without a way to drive
lots of SSL transactions from lots of different clients, it's hard to know.
SSL has a lot of overhead in setup, but there's some SSL persistence that
gives you a benefit for frequent requests that avoid the re-negotations.
But I know that consumes memory, so there's no doubt issues related to the
number of different concurrent clients using SSL at the same time.
Also, OpenSSL (why it's never reached the 1.0 level I can't say since it's
been in production for many years!) is probably more mature than the JSSE.
And while C code would surely be faster, the server VMs supposedly do a
great job on code that's constantly executed as would be the case for the
SSL java code. And surely there are real costs associated with the memory
and thread/process overhead of running HTTPD on the same computer. Of
course, there are some security advantages if the HTTPD runs on one machine
with a public IP addr and TOMCAT on an other server using a private IP addr.
And the Apache http engine is certainly more mature than Tomcat's, but I
don't have any benchmarks or other info to tell me if it's really that much
faster, or if either is more secure (after all, Java typically is less
vulerable than C code).
We're creating an office edition of our flagship Signed & Secured enterprise
software, and we're trying to simplify systems dramatically, so we'd like to
get rid of Apache just for the simplicity of it all. We're even going to
buck the "no user threads" warning for servlet containers since Tomcat
allows them and it will make our system even simpler by removing the need
for a couple of standalone Java applications and a few batch java
applications.
I hope others can comment on real stats they've seen.
Thanks,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org