Current location - Quotes Website - Signature design - How to improve the performance of SSL service in NODE.js
How to improve the performance of SSL service in NODE.js
When browsing the Internet, we all know that SSL encryption is very important. At PayPal, security is our top priority. We use end-to-end encryption, not only for our public websites, but also for our internal service calls. SSL encryption technology will greatly affect the performance of node.js We have spent time adjusting our foreign services and making full use of them. The following is a list of SSL configuration adjustments that we found can significantly improve the external performance of SSL.

SSL password

SSL of Node.js uses a set of very powerful encryption algorithms. In particular, Diffie Herman key exchange and elliptic curve algorithm are extremely expensive. When you use too many external SSL calls in the default configuration, the performance of Node.js will be fundamentally weakened. In order to get a conclusion about how slow it is, the following is a CPU example of a service call:

9 18834.0 ms 100.0% 0.0 node (9 1770)

911376.0ms 99. 1% 0.0.

911376.0ms 99. 1% 0.0 Node:: Go.

911363.0ms 99. 1% 48.0 uv_run

909839.0ms 99.0% 438.0 uv__io_poll

876570.0ms 95.4% 849.0 uv__stream_io

873590.0 ms 95.0% 32.0 node:: StreamWrap::OnReadCommon

873373.0ms 95.0% 7.0 Node:: MakeCallback

873265.0 ms 95.0% 15.0 node::MakeDomainCallback

873125.0ms95.0% 61.0v8:: Function:: Call

873049.0 ms 95.0% 13364.0 _ Zn 2v 88 internal 6 invokeebns 0

832660.0ms90.6% 431.0 _ zn2v88internal21built-in

82 1687.0 ms 89.4% 39.0 Node:: Encryption:: Connection:: Clear

8 13884.0 ms 88.5% 37.0 ssl23_connect

8 13562.0 ms 88.5% 54.0 ssl3_connect

80265 1.0 ms 87.3% 35.0 ssl3 _ send _ client _ key _ exchange

417323.0ms 45.4% 7.0 EC_KEY_generate_key

383185.0ms41.7%12.0ecdh _ compute _ key

1545.0 milliseconds 0.1%4.0tls1_ generate _ master _ secret

123.0ms 0.0% 4.0sl3 _ do _ write

...

Let's focus on key generation:

80265 1.0 ms 87.3% 35.0 ssl3 _ send _ client _ key _ exchange

417323.0ms 45.4% 7.0 EC_KEY_generate_key

383185.0ms41.7%12.0ecdh _ compute _ key

This call takes 87% of the time to generate the key!

You can change these passwords to reduce intensive calculation. The idea has been put forward.

...

You can learn more about password strings through OpenSSL documentation.

SSL session recovery

If your server supports SSL session recovery, you can pass the session through https (or proxy). You can also wrap the agent's createConnection function:

var create connection = agent . create connection;

agent . create connection = function(options){

options.session = session

Return createConnection.call (proxy, option);

};

By adding a short handshake mechanism to the connection, session recovery can reduce the number of connections used.

Stay active

Allowing the proxy to remain active will simplify the SSL handshake. Keep-alive agents such as agentkeepalive can fix the problem of keeping nodes alive, but it is not necessary in Node0. 12.

Another thing to remember is the maxSockets of the proxy, if it is high, it will have a negative impact on performance. Controls the maxSockets value according to the number of external connections created.

Slab size

Tls。 SLAB_BUFFER_SIZE determines the allocated size of the SLAB buffer used by tls clients (servers). By default, its size is 10MB.

These allocated intervals will expand your rss and increase the time for garbage collection. This means that high capacity will affect performance. Adjusting this capacity to a lower value can improve the performance of memory and garbage collection. In version 0. 12, the allocation of slab has been improved and no adjustment is needed.

The latest changes of SSL in 0. 12

Test the SSL enhanced version of fedor.

Test specification

Run the http service as an SSL service proxy, all of which are running on this machine.

v0. 10.22

Run 10s test @ http:/127.0.0.1:3000/

20 threads and 20 connections

Maximum average standard deviation of thread statistics+/-standard deviation

Delay 69.38 ms 30.43 ms 268.56 ms 95.24%

Requests/sec14.95 4.16 20.00 58.65%

3055 requests in 10.0 1s, 337. 12KB read.

Requests per second: 305.28

Transmission per second: 33.69KB

V 0.11.10-pre (built from the main version)

Run 10s test @ http:/127.0.0.1:3000/

20 threads and 20 connections

Maximum average standard deviation of thread statistics+/-standard deviation

The delay is 75.87ms 7.10ms102.87ms 7 1.55%.

Requests/sec12.77 2.4319.00 64.17%

2620 requests in 10.0 1s, 276.33KB read.

Requests per second: 26 1.86

Transmission per second: 27.62KB

There is not much difference, but this is because of the default password, so let's adjust the proxy option of the password. For example:

Var agent = new https. Agent ({

[key]: key,

"certificate": a certificate,

"Password": "AES256-GCM-SHA384"

});

v0. 10.22

Run 10s test @ http://localhost:3000/

20 threads and 20 connections

Maximum average standard deviation of thread statistics+/-standard deviation

The latency is 59.85 ms, 6.77 ms, 95.7 1 ms, 77.29%.

Requests/sec16.39 2.36 22.0061.97%

/kloc-3339 requests in 0/0.00 second, 368.46KB read.

Requests per second: 333.79

Transmission per second: 36.83KB

V 0.11.10-pre (built from the main version)

Run 10s test @ http://localhost:3000/

20 threads and 20 connections

Maximum average standard deviation of thread statistics+/-standard deviation

The incubation period is 38.99 ms 5.96 ms 7 1.87 ms 86.22%

Requests/sec 25.43 5.70 35.00 63.36%

5 160 requests to read at 569.4 1KB within 10.00 second.

Requests per second: 5 15.80

Transmission per second: 56.92KB

We can see that there is a huge difference after the modification of fedor: from 0. 10 to 0. 12, the performance is almost 2 times worse!

abstract

Some people may ask, "Why not simply turn off SSL, it will be faster after turning it off", and this is also the choice of some people. In fact, this is a typical answer when I ask others how to solve SSL performance problems. However, if anything required by enterprise SSL only increases; Although a lot of work has been done in Node.js to improve SSL, performance adjustment is still needed. I hope some of the above techniques can help you adjust the performance of SSL use cases.