

SSL Performance Overhead in MySQL - tdieds
http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/

======
jrochkind1
> _For a system which establishes and maintains long-running connections, the
> initial connection overhead becomes a non-factor, regardless of the
> encryption strength, but there’s still a rather large performance penalty
> compared to the unencrypted connection._

A theoretical performance penalty, which, in practice, you just right there
told us was a non-factor, right? If you are connection pooling. Which you
should be.

But yeah, in just about _any_ sort of application using SSL, if you're not
connection pooling your performance is going to be seriously sunk. I
demonstrated the same thing ruby HTTP libraries and SSL here:
[http://bibwild.wordpress.com/2012/04/30/ruby-http-
performanc...](http://bibwild.wordpress.com/2012/04/30/ruby-http-performance-
shootout-redux/)

MySQL, http, anything -- SSL connection establishing is expensive. If you are
making lots of SSL connections, it's going to be expensive. If you can pool
and reuse SSL connections, you always always want to, it will make a big
difference.

~~~
falcolas
> If you are connection pooling. Which you should be.

Plain MySQL connections are exceptionally quick to set up - much more so than
many other DB options. For this reason, many people have written code that
does not use connection pooling (coughPHPcough), and instead create new
connections at whim. This is why it's worth pointing the differences out.

As a point of contrast about the side effects of this connection speed: The
standard Python MySQL library does not even offer connection pooling - you
would have to write your own or use a ORM that provides pooling. On the other
hand, the most oft used PostgreSQL Python library offers connection pooling
for free.

Not saying one method is better than the other, but it's quite possible to
write a performant solution using MySQL that doesn't pool connections.

~~~
HarrisonFisk
In addition, when you are dealing with many thousand application servers and
many hundred database connections, the database will not end up happy having
to maintain > 10k connections.

So you will end up needing to add a proxy or connect every time. As you
indicated, since MySQL connections are so cheap (ie. you can do > 50k per
second), it is faster and easier to create a new connection each time.

~~~
falcolas
Not just the database, at those quantities of connections, the OS itself
starts to have problems.

One frequently implemented solution is to kill off old idle connections, but
you may be surprised at how many pooling solutions don't deal with killed
connections well (or force the handling on the application at the wrong layer
of abstraction).

------
fleitz
Would be interesting to know what symmetric cipher was used as well as what
the key exchange mechanism was. Probably far more important than key size.

I have a feeling it defaulted to DHE+AES256 which is known to be slow.

Also if AES was used, was it configured to use the native AES instructions?

Lots of questions about this benchmark.

------
PaulHoule
I hope SSL is a fad.

I haven't once seen an intranet renew it's SSL certificate on time so it means
at least once a year there will be a period of a week to six months that you
have to click through a warning message.

Google switched the search to SSL and now nobody gets referrers for Google
searches anymore.

When Google switched to SSL now I have trouble when I connect to public WiFi
networks that want you to agree to something or log in to use the network --
it used to be you got redirected but now search just breaks without a sensible
warning message.

~~~
tptacek
For internal resources, there's no good reason at all to use browser-CA
certificates. Just set up your own internal CA (it's like 3 openssl commands),
add its certificate to your trust stores, and sign your own certificates.

If you know you're only ever going to have a couple-three boxes using SSL, you
can also just use self-signed certificates and a static whitelist. Self-signed
certificates don't work at all on the public Internet, but they're just fine
for internal resources, as long as you can somehow pin them.

~~~
jakobe
> add its certificate to your trust stores

I wouldn't install a company CA certificate on my Mac. It would theoretically
allow the company to intercept all my SSL connections. I'd rather validate SSL
certs for all the intranet servers manually.

~~~
tptacek
We're talking about server-to-server connectivity here.

~~~
jakobe
Huh? The top level comment said something about Google search using SSL and
"clicking through certificate warnings" which doesn't sound like server-to-
server connectivity to me.

