ietf-nntp TLS cipher renegotation to NULL cipher

Harmeet Bedi harmeet at kodemuse.com
Mon Feb 10 17:52:00 PST 2003


----- Original Message -----
From: "Russ Allbery" <rra at stanford.edu>
> Has anyone actually benchmarked SSL/TLS with a large news server and
> discovered a substantial performance impact?

SSL/TLS charateristics shouldn't vary across TCP protocols.

Here are some rough numbers.
- SSL/TLS should cause 10%-20% performance overhead for a socket connection.
CPU saturation is usu. the problem. 10% overhead is wonderful and more than
20% is cause for concern.

Overhead can be mitigated by choosing the right algorithms, crypto hardware
and most of all by good SSL Session Resumption. Long lived client-server
connections also make a huge difference, but I don't think/know if NNTP can
optimize for that.
RC4 is good for symmetric encryption, if one does not use crypto hardware.
Often users who care a lot about security are able to spend some money on
it.

The most expensive part of SSL/TLS is Asymmetric Encryption. This can can be
reduced by session resumption. Session Resumption short circuits the
Assymetric encryption step across tcp connections from the same application.
Session Resumption often depends on SSL implementation and tuning by site
adminstrator so may not show up on short test runs.

FYI: There is an excellent chapter on SSL Performace in this book
http://www.rtfm.com/sslbook/

Harmeet




More information about the ietf-nntp mailing list