> From: openssl-users On Behalf Of Kurt Roeckx > Sent: Thursday, December 18, 2014 16:36 > On Fri, Dec 19, 2014 at 02:30:07AM +0530, Prabhat Puroshottam wrote: > > *************************************** > > This is for *Client -> Agent* > > *************************************** > [...] > > ??????? Version 3.1 > [...] > > ??????? cipherSuite???????? TLS_RSA_WITH_AES_256_CBC_SHA > [...] > > *************************************** > > This is for *Client -> Proxy Server* > > *************************************** > > ??????? cipherSuite???????? TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > So the differnce here is that jave picks a DHE ciphersuite while > otherwise you didn't. DHE gives you forward secrecy but is > slower. > Good catch, I missed that. But, it shouldn't be many *seconds* unless this is very poor hardware. Especially since Java 7 (and IIRC 6) uses, as you can see later in the trace, 768 bits. (Except export suites use 512 per RFC. Java 8 defaults DHE to 1024 and offers some new options for better.) Although that reminds me, on the *first* session in a process, there might be delay to initialize SecureRandom, depending on the platform and options/environment. But not for all sessions. To OP: assuming this delay happens on non-initial sessions more than rarely, can you try putting jconsole or the newer (but more complicated) "Java Mission Control" tools on the JVM running the proxy server while driving it with as many requests as you can, to get some (rough) idea what's going on: is it CPU bound? which threads? if you can capture stacks, which methods? Is it swapping? One other thought: normally JSSE server uses a key manager that is preloaded from a JKS. Are you using an unusual key manager like a PKCS#11 "token", or even a custom one that does something costly like fetching from LDAP? > You're also not using session resumption which might speed up the > whole process. It at least looks like that proxy server might > support that. > I assumed OP's traces are the first session. Besides OpenSSL client doesn't cache by default; you must code to enable it. > You also seem to be using an old version of openssl that only > supports TLSv1, I suggest you upgrade. > Good in general, but very unlikely to change JSSE-server performance.
