SSL performance tips

The following are two types of Secure Sockets Layer (SSL) performance:

When an SSL connection is established, an SSL handshake occurs. After a connection is made, SSL performs bulk encryption and decryption for each read-write. The performance cost of an SSL handshake is much larger than that of bulk encryption and decryption.

Using a single SSL connection to send multiple requests (rather than opening a connection for each request) can enhance SSL performance. Additionally, it is important to reduce the the number of times a new connection is opened. Decreasing the overall number of connections increases performance for secure communication through SSL connections, as well as non-secure communication through simple TCP/IP connections. One way to send multiple requests over a single SSL connection us to use a browser that supports HTTP 1.1.

Another common approach is to decrease the number of connections (both TCP/IP and SSL) between two WebSphere Application Server components. The following guidelines help to verify the HTTP transport of the application server is configured so that the Web server plug-in does not repeatedly open new connections to the application server:

Another way to improve performance is to use an alternative cipher suite that more quickly encrypts and decrypts data.

The performance of a cipher suite is different with software and hardware. Just because a cipher suite performs better in software does not mean a cipher suite performs better with hardware. Some algorithms are typically inefficient in hardware (for example, DES and 3DES), however, specialized hardware can provide efficient implementations of these same algorithms.

The performance of bulk encryption and decryption is affected by the cipher suite used for an individual SSL connection. The following chart displays the performance of each cipher suite:

Performance analysis of various cipher suites

The test software for calculating the data uses Java Secure Socket Extension (JSSE) for both the client and server software, which uses no cryptographic hardware support. The test did not include the time for establishing a connection, but only the time to transmit data through an established connection. Therefore, the data reveals the relative SSL performance of various cipher suites for long running connections.

Before establishing a connection, the client enables a single cipher suite for each test case. After the connection is established, the client measures how long it takes to write an integer to the server and for the server to write the specified number of bytes back to the client. Varying the amount of data has negligible effects on the relative performance of the cipher suites.

An analysis of the above reveals the following analysis: