SSL password
SSL of Node.js uses a set of very powerful encryption algorithms. In particular, Diffie Herman key exchange and elliptic curve algorithm are extremely expensive. When you use too many external SSL calls in the default configuration, the performance of Node.js will be fundamentally weakened. In order to get a conclusion about how slow it is, the following is a CPU example of a service call:
9 18834.0 ms 100.0% 0.0 node (9 1770)
911376.0ms 99. 1% 0.0.
911376.0ms 99. 1% 0.0 Node:: Go.
911363.0ms 99. 1% 48.0 uv_run
909839.0ms 99.0% 438.0 uv__io_poll
876570.0ms 95.4% 849.0 uv__stream_io
873590.0 ms 95.0% 32.0 node:: StreamWrap::OnReadCommon
873373.0ms 95.0% 7.0 Node:: MakeCallback
873265.0 ms 95.0% 15.0 node::MakeDomainCallback
873125.0ms95.0% 61.0v8:: Function:: Call
873049.0 ms 95.0% 13364.0 _ Zn 2v 88 internal 6 invokeebns 0
832660.0ms90.6% 431.0 _ zn2v88internal21built-in
82 1687.0 ms 89.4% 39.0 Node:: Encryption:: Connection:: Clear
8 13884.0 ms 88.5% 37.0 ssl23_connect
8 13562.0 ms 88.5% 54.0 ssl3_connect
80265 1.0 ms 87.3% 35.0 ssl3 _ send _ client _ key _ exchange
417323.0ms 45.4% 7.0 EC_KEY_generate_key
383185.0ms41.7%12.0ecdh _ compute _ key
1545.0 milliseconds 0.1%4.0tls1_ generate _ master _ secret
123.0ms 0.0% 4.0sl3 _ do _ write
...
Let's focus on key generation:
80265 1.0 ms 87.3% 35.0 ssl3 _ send _ client _ key _ exchange
417323.0ms 45.4% 7.0 EC_KEY_generate_key
383185.0ms41.7%12.0ecdh _ compute _ key
This call takes 87% of the time to generate the key!
You can change these passwords to reduce intensive calculation. The idea has been put forward.
...
You can learn more about password strings through OpenSSL documentation.
SSL session recovery
If your server supports SSL session recovery, you can pass the session through https (or proxy). You can also wrap the agent's createConnection function:
var create connection = agent . create connection;
agent . create connection = function(options){
options.session = session
Return createConnection.call (proxy, option);
};
By adding a short handshake mechanism to the connection, session recovery can reduce the number of connections used.
Stay active
Allowing the proxy to remain active will simplify the SSL handshake. Keep-alive agents such as agentkeepalive can fix the problem of keeping nodes alive, but it is not necessary in Node0. 12.
Another thing to remember is the maxSockets of the proxy, if it is high, it will have a negative impact on performance. Controls the maxSockets value according to the number of external connections created.
Slab size
Tls。 SLAB_BUFFER_SIZE determines the allocated size of the SLAB buffer used by tls clients (servers). By default, its size is 10MB.
These allocated intervals will expand your rss and increase the time for garbage collection. This means that high capacity will affect performance. Adjusting this capacity to a lower value can improve the performance of memory and garbage collection. In version 0. 12, the allocation of slab has been improved and no adjustment is needed.
The latest changes of SSL in 0. 12
Test the SSL enhanced version of fedor.
Test specification
Run the http service as an SSL service proxy, all of which are running on this machine.
v0. 10.22
Run 10s test @ http:/127.0.0.1:3000/
20 threads and 20 connections
Maximum average standard deviation of thread statistics+/-standard deviation
Delay 69.38 ms 30.43 ms 268.56 ms 95.24%
Requests/sec14.95 4.16 20.00 58.65%
3055 requests in 10.0 1s, 337. 12KB read.
Requests per second: 305.28
Transmission per second: 33.69KB
V 0.11.10-pre (built from the main version)
Run 10s test @ http:/127.0.0.1:3000/
20 threads and 20 connections
Maximum average standard deviation of thread statistics+/-standard deviation
The delay is 75.87ms 7.10ms102.87ms 7 1.55%.
Requests/sec12.77 2.4319.00 64.17%
2620 requests in 10.0 1s, 276.33KB read.
Requests per second: 26 1.86
Transmission per second: 27.62KB
There is not much difference, but this is because of the default password, so let's adjust the proxy option of the password. For example:
Var agent = new https. Agent ({
[key]: key,
"certificate": a certificate,
"Password": "AES256-GCM-SHA384"
});
v0. 10.22
Run 10s test @ http://localhost:3000/
20 threads and 20 connections
Maximum average standard deviation of thread statistics+/-standard deviation
The latency is 59.85 ms, 6.77 ms, 95.7 1 ms, 77.29%.
Requests/sec16.39 2.36 22.0061.97%
/kloc-3339 requests in 0/0.00 second, 368.46KB read.
Requests per second: 333.79
Transmission per second: 36.83KB
V 0.11.10-pre (built from the main version)
Run 10s test @ http://localhost:3000/
20 threads and 20 connections
Maximum average standard deviation of thread statistics+/-standard deviation
The incubation period is 38.99 ms 5.96 ms 7 1.87 ms 86.22%
Requests/sec 25.43 5.70 35.00 63.36%
5 160 requests to read at 569.4 1KB within 10.00 second.
Requests per second: 5 15.80
Transmission per second: 56.92KB
We can see that there is a huge difference after the modification of fedor: from 0. 10 to 0. 12, the performance is almost 2 times worse!
abstract
Some people may ask, "Why not simply turn off SSL, it will be faster after turning it off", and this is also the choice of some people. In fact, this is a typical answer when I ask others how to solve SSL performance problems. However, if anything required by enterprise SSL only increases; Although a lot of work has been done in Node.js to improve SSL, performance adjustment is still needed. I hope some of the above techniques can help you adjust the performance of SSL use cases.