netty: Performance degradation in SslContextBuilder.build() on Java 11 for mTLS connections
Expected behavior
When we build an SslContext for a Client using SslContextBuilder, no matter the parameters we set for the builder, running it on Java 11 takes 2x or 3x more time than on Java 8.
An average of 30 runs of the below code on Java 8 shows an average of 500 ms, when the same is run on JDK11, it takes up to 1500 ms.
Actual behavior
Ideally Java 11 and Java 8 performance should be similar.
Minimal yet complete reproducer code (or URL to code)
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
.trustManager(rootCACert)
.ciphers(null)
.sessionCacheSize(0)
.sessionTimeout(0)
.sslProvider(SslProvider.OPENSSL) // or SslProvider.JDK, doesn't matter
.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.build();
Netty version
4.1.50.Final, 4.1.64.Final
JVM version (e.g. java -version)
openjdk1.8.0_172, openjdk_11.0.8_11.41.54
OS version (e.g. uname -a)
MacOS 19.6.0 Darwin Kernel
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 21 (18 by maintainers)
Well, this one fell off my radar. I will get back by this weekend with some updates.
Anyone did investigate this yet ?
Actually there is another use case noticed by @mpnikhil. In most places for security purposes, certificates are rotated on a routine basis. Each one of those would require re-loading the new certs and building a new context. So it’s not like once we create a context we’re done. Although not as intensive, its still a drag which would apply to most non-specific use cases IMO.
My use case is super exotic. I’ll try to investigate as soon as I can find some time to.
Cool, Lemme try to tackle this.
openjdk version “1.8.0_292” OpenJDK Runtime Environment Corretto-8.292.10.1 (build 1.8.0_292-b10) OpenJDK 64-Bit Server VM Corretto-8.292.10.1 (build 25.292-b10, mixed mode)