[Help-gnutls] Re: Simple question about performance
simon at josefsson.org
Tue Apr 14 02:35:43 CEST 2009
Miroslav Kratochvil <exa.exa at gmail.com> writes:
> Hi there,
> I'm thinking about rewriting one my project from OpenSSL to GnuTLS.
> The project is a VPN, and as it basically needs only pretty good raw
> transfer speed, I began to concern about some rumors that my little
> search returned - those were mostly about the GnuTLS is 30-50% slower
> than OpenSSL. Most of those posts was around 3-5 years old, though, so
> I'm writing here to ask:
> a] Is there really such performance gap? (I don't count
> recently-discussed TLS handshake problems, I need only raw
> crypting/transfer speeds.)
> b] Do we have some kind of real benchmark? like "encrypt 50 megs with
> RSA: x,y,z seconds for gnutls/openssl/nss/..."
> I'm sorry if bringing this topic up isn't needed and I only got
> confused by bad google results; but I would really like someone
> comment on this.
For bulk encryption, you probably want to compare libgcrypt vs openssl
rather than gnutls vs openssl.
I benchmarked mod_gnutls vs mod_ssl under apache, using sieve, some time
ago, even for large files, and the differences weren't significant
(mod_ssl was typically faster but mod_gnutls were faster in some
configurations). One potential problem with mod_gnutls/gnutls was that
it sent each TLS handshake message as a separate TCP packet which may
slow down benchmarks, but it is not clear whether this is significant.
It does not apply to bulk encryption.
I don't recall much feedback about speed issues. There is certainly
room for optimization. If you can provide a good test setup to compare
gnutls vs openssl in an application, I would be interested in optimizing
things. However, the first step before optimization is to do good
benchmarks to illustrate that there is a significant problem. My last
attempt at benchmarking didn't result in any obvious problem so I didn't
proceed in optimizing anything.
More information about the Gnutls-help