Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-33877

lower throughput/higher latency of KV after switching to openSSL 1.1.1 (Java client)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a Bug
    • 6.5.0
    • 6.5.0
    • memcached
    • hebe cluster, centos 7
    • Untriaged
    • Unknown

    Description

      After adding support of TLS 1.3 and switching to openSSL 1.1.1 we got better pillowfight throughput (max throughput increased from 320K to  663K)

      But Java SDK based test (YCSB) got slower. 224K to 177K.

      http://showfast.sc.couchbase.com/#/timeline/Linux/kv/ycsb/all

      Tested with java SDK 2.7.0.

      Will test also with Java SDK 3 if support is there and update the ticket

       

      Build: 6.5.0-2856

      Code changes:

      https://github.com/couchbase/tlm/commit/bca066dc03dfbe14ae2831ffe2450011ed1ba097

      https://github.com/couchbase/tlm/commit/afa64e6cf80b45905e0fd1e670cedee42b531ddf

       

      Attachments

        1. 11207capture
          8.21 MB
        2. 11207capture2
          9.10 MB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          drigby Dave Rigby added a comment - As an aside, various [1] sources [2] [3] [4] list TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) as a weak cipher suite and not recommended for use. [1] : https://community.letsencrypt.org/t/lets-encrypt-and-ssl-labs-weak-cipher-suites/52045 [2] : https://feedback.azure.com/forums/169385-web-apps/suggestions/31405774-disable-ciphers-which-support-weak-encryption-cbc [3] : https://community.qualys.com/thread/17971-tlsrsawithaes256cbcsha-comes-to-be-weak-cipher [4] : https://wiki.mozilla.org/Security/Server_Side_TLS

          Ok so interestingly, cbc pillowfight uses the same cipher suite for the two builds: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035). This suite is different from the two java suites.

           

          korrigan.clark Korrigan Clark added a comment - Ok so interestingly, cbc pillowfight uses the same cipher suite for the two builds: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035). This suite is different from the two java suites.  

          3143 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: http://perf.jenkins.couchbase.com/job/hebe/3915/

          3143 with TLS_RSA_WITH_AES_256_CBC_SHA256: http://perf.jenkins.couchbase.com/job/hebe/3913/

          comparison: http://cbmonitor.sc.couchbase.com/reports/html/?snapshot=hebe_650-3143_access_56a3&snapshot=hebe_650-3143_access_aa37

          cpu utilization looks basically the same but the beam.smp cpu utilization looks slightly higher for 3143 with TLS_RSA_WITH_AES_256_CBC_SHA256.

          korrigan.clark Korrigan Clark added a comment - 3143 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:  http://perf.jenkins.couchbase.com/job/hebe/3915/ 3143 with TLS_RSA_WITH_AES_256_CBC_SHA256:  http://perf.jenkins.couchbase.com/job/hebe/3913/ comparison:  http://cbmonitor.sc.couchbase.com/reports/html/?snapshot=hebe_650-3143_access_56a3&snapshot=hebe_650-3143_access_aa37 cpu utilization looks basically the same but the beam.smp cpu utilization looks slightly higher for 3143 with TLS_RSA_WITH_AES_256_CBC_SHA256.
          drigby Dave Rigby added a comment -

          Thanks for re-running. So it just looks like TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is a less efficient / more expensive algorithm than TLS_RSA_WITH_AES_256_CBC_SHA256.

          As such I don't think there's anything more to do here - the slowdown seems due to the different, more secure cipher.

          We possibly want to review which cipher(s) we want to benchmark against, but for this particular issue I'm closing as "Not a Bug".

          drigby Dave Rigby added a comment - Thanks for re-running. So it just looks like TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is a less efficient / more expensive algorithm than TLS_RSA_WITH_AES_256_CBC_SHA256 . As such I don't think there's anything more to do here - the slowdown seems due to the different, more secure cipher. We possibly want to review which cipher(s) we want to benchmark against, but for this particular issue I'm closing as "Not a Bug".

          Bulk closing the bugs that are marked as Not a bug

          raju Raju Suravarjjala added a comment - Bulk closing the bugs that are marked as Not a bug

          People

            korrigan.clark Korrigan Clark
            oleksandr.gyryk Alex Gyryk (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty