JDK9 "SSL" enhancements backport to JDK8

Alen Vrečko alen.vrecko at gmail.com
Tue Jan 19 20:06:52 UTC 2016 

Yeah. To be clear. GCM makes the biggest difference. In my tests CBC
suites perform pretty similarly (J8/J9).

Additionally I tested with simple netty based Java https server that
returns 3 MiB file on get request. Used modified (TLSv1.2) wrk2 as the
client. For TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:

Java 8: CPU: 100%+ Failed to get 2.4 Gbit out of the machine
Java 9: CPU: ~20-25% Easily got 2.4 Gbit out of the machine

Used two, a bit dated, 2 x E5620 machines.

In short GCM suites perform horribly on Java8. They don't even come
close to CBC suites performance. I might even say GCM suites on Java8
are unusable short of hobby programs. On the other hand. For some of
my benchmarks Java9 GCM suites take 2x less CPU resouces in respect to
comparable CBC suites.

Doesn't look like a ton of work to get this backported...

Alen

2016-01-19 10:45 GMT+01:00 Ismael Juma <mlists at juma.me.uk>:
> Hi,
>
> The delay of JDK 9 until 2017 seems to make this proposal even more
> worthwhile.
>
> Best,
> Ismael
>
>
> On Thu, Nov 19, 2015 at 5:52 PM, Alen Vrečko <alen.vrecko at gmail.com> wrote:
>>
>> Hi, Xuelei.
>>
>> To put things into perspective. I ran a simulation of https production
>> load on the venerable E5620 machines. A simple server client set-up
>> sending dummy data no other processing overhead. (took care of
>> coordinated omission). On JDK8u65 the plain old SSLServerSocket code
>> took literally 50% of all CPU resources. I see a consistent load
>> factor of ~8 out of 16. Running the same exact bytecode (compiled with
>> JDK8u65) on JDK9b92, I see a consistent load factor of ~1 out of 16.
>> That is ~6% of all CPU availability.
>>
>> Profiling with YourKit revealed that massive amounts of time are spent
>> in the crypto (~92%). The ghash#update in particulary screams out on
>> JDK8. On JDK9 things are significantly better. ghash#update only takes
>> ~2% CPU time while on JDK8 it takes ~45%. Just some rough ballparks.
>>
>> Fundamentally I'd like to see a future JDK8uN to give me a similar
>> load factor as seen currently with JDK9b92. I am still pretty blown
>> away with the difference.
>>
>> The related commits look pretty self-contained. I'd most probably
>> botch the job if I backport myself. You're the experts here. ;)
>>
>> Thanks.
>> Alen
>>
>> 2015-11-18 15:09 GMT+01:00 Xuelei Fan <Xuelei.Fan at oracle.com>:
>> > Hi Alen,
>> >
>> > Except JDK-8046943, what else enhancements would you like to see in JDK
>> > 8u?
>> > What's the requirement for each backport?
>> >
>> > Thanks,
>> > Xuelei
>> >
>> >
>> > On 11/18/2015 1:02 AM, Alen Vrečko wrote:
>> >>
>> >> Hi.
>> >>
>> >> Any ideas if/when the enhancement to "SSL" in JDK9 will make it to
>> >> JDK8?
>> >> The improvements are quite substantial to say the least.
>> >>
>> >> I could not find any info regarding back-porting in
>> >> https://bugs.openjdk.java.net/browse/JDK-8046943
>> >> and related issues.
>> >>
>> >> Best regards.
>> >> Alen
>> >>
>> >
>
>

More information about the jdk8u-dev mailing list