Digoal.zhou

Digoal.zhou

公益是一辈子的事, I'm digoal, Just do it.

PostgreSQL ssl ciphers performance 比较

11 minute read

背景

不同的SSL cipher加密复杂度,对CPU的开销都不一样。

上一篇BLOG介绍了PostgreSQL使用ssl加密客户端和服务端的数据传输.

《PostgreSQL 网络SSL的配置方法》

本文将介绍一下各种cipher的开销。

查看支持的ciphers

查看openssl支持哪些ciphers :

pg93@db-172-16-3-33-> openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5

测试几个cipher的性能

首先是openssl的speed测试结果如下 :

pg93@db-172-16-3-33-> openssl speed
Doing md2 for 3s on 16 size blocks: 479806 md2's in 3.00s
Doing md2 for 3s on 64 size blocks: 248817 md2's in 3.00s
Doing md2 for 3s on 256 size blocks: 85124 md2's in 3.00s
Doing md2 for 3s on 1024 size blocks: 23434 md2's in 3.00s
Doing md2 for 3s on 8192 size blocks: 3017 md2's in 3.00s
Doing md4 for 3s on 16 size blocks: 8022778 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 6670890 md4's in 3.00s
Doing md4 for 3s on 256 size blocks: 4438992 md4's in 3.00s
Doing md4 for 3s on 1024 size blocks: 1872622 md4's in 3.00s
Doing md4 for 3s on 8192 size blocks: 296091 md4's in 3.00s
Doing md5 for 3s on 16 size blocks: 6421765 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 5081238 md5's in 3.00s
Doing md5 for 3s on 256 size blocks: 3079671 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1214852 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 180510 md5's in 3.00s
Doing hmac(md5) for 3s on 16 size blocks: 7510596 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 64 size blocks: 5770088 hmac(md5)'s in 3.01s
Doing hmac(md5) for 3s on 256 size blocks: 3326348 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 1024 size blocks: 1232492 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 8192 size blocks: 180013 hmac(md5)'s in 3.00s
Doing sha1 for 3s on 16 size blocks: 6738377 sha1's in 3.00s
Doing sha1 for 3s on 64 size blocks: 4877440 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 2841673 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 1037506 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 149783 sha1's in 3.00s
Doing sha256 for 3s on 16 size blocks: 5269102 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 3170549 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 1455054 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 461517 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 62664 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 3701251 sha512's in 3.00s
Doing sha512 for 3s on 64 size blocks: 3736901 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 1721261 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 659906 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 97821 sha512's in 3.01s
Doing rmd160 for 3s on 16 size blocks: 4712557 rmd160's in 3.00s
Doing rmd160 for 3s on 64 size blocks: 3124213 rmd160's in 3.00s
Doing rmd160 for 3s on 256 size blocks: 1557365 rmd160's in 3.00s
Doing rmd160 for 3s on 1024 size blocks: 514426 rmd160's in 3.00s
Doing rmd160 for 3s on 8192 size blocks: 70999 rmd160's in 3.00s
Doing rc4 for 3s on 16 size blocks: 36912081 rc4's in 3.00s
Doing rc4 for 3s on 64 size blocks: 10173699 rc4's in 3.00s
Doing rc4 for 3s on 256 size blocks: 2590258 rc4's in 3.00s
Doing rc4 for 3s on 1024 size blocks: 649631 rc4's in 3.00s
Doing rc4 for 3s on 8192 size blocks: 81440 rc4's in 3.00s
Doing des cbc for 3s on 16 size blocks: 8996392 des cbc's in 3.00s
Doing des cbc for 3s on 64 size blocks: 2299443 des cbc's in 3.00s
Doing des cbc for 3s on 256 size blocks: 576966 des cbc's in 3.00s
Doing des cbc for 3s on 1024 size blocks: 144407 des cbc's in 3.00s
Doing des cbc for 3s on 8192 size blocks: 18283 des cbc's in 3.00s
Doing des ede3 for 3s on 16 size blocks: 3522159 des ede3's in 3.00s
Doing des ede3 for 3s on 64 size blocks: 897137 des ede3's in 3.00s
Doing des ede3 for 3s on 256 size blocks: 225932 des ede3's in 3.00s
Doing des ede3 for 3s on 1024 size blocks: 56582 des ede3's in 3.00s
Doing des ede3 for 3s on 8192 size blocks: 7077 des ede3's in 3.00s
Doing aes-128 cbc for 3s on 16 size blocks: 15616486 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 64 size blocks: 4235413 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1086541 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 273358 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 34218 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 13256583 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 3553825 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 908465 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 227746 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 8192 size blocks: 28490 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 11483152 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 3060960 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 778693 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 195729 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 8192 size blocks: 24514 aes-256 cbc's in 3.00s
Doing aes-128 ige for 3s on 16 size blocks: 15576011 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 64 size blocks: 4119671 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 256 size blocks: 1035491 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 1024 size blocks: 260456 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 8192 size blocks: 32541 aes-128 ige's in 3.01s
Doing aes-192 ige for 3s on 16 size blocks: 13175348 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 64 size blocks: 3456196 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 256 size blocks: 873093 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 1024 size blocks: 218713 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 8192 size blocks: 27313 aes-192 ige's in 3.00s
Doing aes-256 ige for 3s on 16 size blocks: 11436763 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 64 size blocks: 2986768 aes-256 ige's in 3.00s
Doing aes-256 ige for 3s on 256 size blocks: 750692 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 1024 size blocks: 149847 aes-256 ige's in 2.39s
Doing aes-256 ige for 3s on 8192 size blocks: 17205 aes-256 ige's in 2.16s
Doing rc2 cbc for 3s on 16 size blocks: 3702966 rc2 cbc's in 2.09s
Doing rc2 cbc for 3s on 64 size blocks: 952118 rc2 cbc's in 2.06s
Doing rc2 cbc for 3s on 256 size blocks: 293392 rc2 cbc's in 2.62s
Doing rc2 cbc for 3s on 1024 size blocks: 56146 rc2 cbc's in 1.91s
Doing rc2 cbc for 3s on 8192 size blocks: 7284 rc2 cbc's in 2.03s
Doing blowfish cbc for 3s on 16 size blocks: 11804774 blowfish cbc's in 2.16s
Doing blowfish cbc for 3s on 64 size blocks: 3157527 blowfish cbc's in 2.22s
Doing blowfish cbc for 3s on 256 size blocks: 1047711 blowfish cbc's in 2.69s
Doing blowfish cbc for 3s on 1024 size blocks: 240092 blowfish cbc's in 2.47s
Doing blowfish cbc for 3s on 8192 size blocks: 24770 blowfish cbc's in 2.06s
Doing cast cbc for 3s on 16 size blocks: 9629452 cast cbc's in 2.06s
Doing cast cbc for 3s on 64 size blocks: 2581362 cast cbc's in 2.07s
Doing cast cbc for 3s on 256 size blocks: 771713 cast cbc's in 2.45s
Doing cast cbc for 3s on 1024 size blocks: 219380 cast cbc's in 2.80s
Doing cast cbc for 3s on 8192 size blocks: 29731 cast cbc's in 3.01s
Doing 512 bit private rsa's for 10s: 85584 512 bit private RSA's in 10.01s
Doing 512 bit public rsa's for 10s: 922993 512 bit public RSA's in 10.01s
Doing 1024 bit private rsa's for 10s: 17824 1024 bit private RSA's in 10.01s
Doing 1024 bit public rsa's for 10s: 325046 1024 bit public RSA's in 10.01s
Doing 2048 bit private rsa's for 10s: 2894 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 96519 2048 bit public RSA's in 10.01s
Doing 4096 bit private rsa's for 10s: 413 4096 bit private RSA's in 10.02s
Doing 4096 bit public rsa's for 10s: 26023 4096 bit public RSA's in 10.01s
Doing 512 bit sign dsa's for 10s: 91259 512 bit DSA signs in 10.01s
Doing 512 bit verify dsa's for 10s: 87942 512 bit DSA verify in 10.00s
Doing 1024 bit sign dsa's for 10s: 19801 1024 bit DSA signs in 10.00s
Doing 1024 bit verify dsa's for 10s: 16908 1024 bit DSA verify in 10.00s
Doing 2048 bit sign dsa's for 10s: 10043 2048 bit DSA signs in 10.00s
Doing 2048 bit verify dsa's for 10s: 8468 2048 bit DSA verify in 10.01s
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Mon Mar  4 16:16:11 EST 2013
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(ptr2) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2               2558.97k     5308.10k     7263.91k     7998.81k     8238.42k
mdc2                 0.00         0.00         0.00         0.00         0.00 
md4              42788.15k   142312.32k   378793.98k   639188.31k   808525.82k
md5              34249.41k   108399.74k   262798.59k   414669.48k   492912.64k
hmac(md5)        40056.51k   122686.26k   283848.36k   420690.60k   491555.50k
sha1             35938.01k   104052.05k   242489.43k   354135.38k   409007.45k
rmd160           25133.64k    66649.88k   132895.15k   175590.74k   193874.60k
rc4             196864.43k   217038.91k   221035.35k   221740.71k   222385.49k
des cbc          47980.76k    49054.78k    49234.43k    49290.92k    49924.78k
des ede3         18784.85k    19138.92k    19279.53k    19313.32k    19324.93k
idea cbc             0.00         0.00         0.00         0.00         0.00 
seed cbc             0.00         0.00         0.00         0.00         0.00 
rc2 cbc          28348.07k    29580.37k    28667.31k    30101.31k    29394.35k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00 
blowfish cbc     87442.77k    91027.81k    99707.81k    99536.12k    98502.83k
cast cbc         74791.86k    79810.23k    80636.13k    80230.40k    80915.73k
aes-128 cbc      83011.22k    90355.48k    92718.17k    93306.20k    93437.95k
aes-192 cbc      70701.78k    75814.93k    77522.35k    77737.30k    77796.69k
aes-256 cbc      61243.48k    65300.48k    66448.47k    66586.88k    66939.56k
camellia-128 cbc        0.00         0.00         0.00         0.00         0.00 
camellia-192 cbc        0.00         0.00         0.00         0.00         0.00 
camellia-256 cbc        0.00         0.00         0.00         0.00         0.00 
sha256           28101.88k    67638.38k   124164.61k   157531.14k   171114.50k
sha512           19740.01k    79720.55k   146880.94k   225247.91k   266229.11k
aes-128 ige      83072.06k    87594.33k    88361.90k    88902.31k    88563.41k
aes-192 ige      70268.52k    73732.18k    74256.41k    74654.04k    74582.70k
aes-256 ige      60793.42k    63717.72k    63846.23k    64202.23k    65251.56k
                  sign    verify    sign/s verify/s
rsa  512 bits 0.000117s 0.000011s   8549.9  92207.1
rsa 1024 bits 0.000562s 0.000031s   1780.6  32472.1
rsa 2048 bits 0.003459s 0.000104s    289.1   9642.3
rsa 4096 bits 0.024262s 0.000385s     41.2   2599.7
                  sign    verify    sign/s verify/s
dsa  512 bits 0.000110s 0.000114s   9116.8   8794.2
dsa 1024 bits 0.000505s 0.000591s   1980.1   1690.8
dsa 2048 bits 0.000996s 0.001182s   1004.3    846.0

数据库测试环境 :

PostgreSQL 9.3 beta1

测试表

digoal=# create table test(id serial primary key, info text, crt_time timestamp);
CREATE TABLE

测试数据

digoal=# insert into test (info,crt_time) select md5(random()::text),clock_timestamp() from generate_series(1,1000000);
INSERT 0 1000000

测试脚本

pg92@db-172-16-3-39-> cat sel.sql 
\setrandom id 1 1000000
select * from test where id=:id;

1. hostnossl测试结果

pg93@db-172-16-3-33-> vi pg_hba.conf
#hostssl all all 0.0.0.0/0 md5
hostnossl all all 0.0.0.0/0 md5
pg_ctl restart -m fast

pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
         Some psql features might not work.
Type "help" for help.
digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 3798056
tps = 63292.379368 (including connections establishing)
tps = 63337.244048 (excluding connections establishing)

2. hostssl 测试,

cipher=RC4-SHA测试结果 :

修改postgresql.conf ,

ssl_ciphers = 'RC4-SHA:DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'

修改pg_hba.conf

hostssl all all 0.0.0.0/0 md5
#hostnossl all all 0.0.0.0/0 md5

重启数据库.

测试结果 :

pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
         Some psql features might not work.
SSL connection (cipher: RC4-SHA, bits: 128)
Type "help" for help.

digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 3354725
tps = 55911.266097 (including connections establishing)
tps = 55940.407826 (excluding connections establishing)

cipher=AES128-SHA测试结果 :

pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
         Some psql features might not work.
SSL connection (cipher: AES128-SHA, bits: 128)
Type "help" for help.

digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 2821590
tps = 47025.481115 (including connections establishing)
tps = 47050.672479 (excluding connections establishing)

cipher=DHE-RSA-AES256-SHA测试结果 :

pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
         Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 2784774
tps = 46411.467433 (including connections establishing)
tps = 46465.745880 (excluding connections establishing)

从测试数据来看, 使用ssl后性能下降非常明显, 特别是当瓶颈在CPU时.

Flag Counter

digoal’s 大量PostgreSQL文章入口

You May Also Enjoy

PostgreSQL(PPAS 兼容Oracle) 从零开始入门手册 - 珍藏版

17 minute read

背景 云数据库PPAS版,是阿里云与EnterpriseDB公司(简称EDB)合作基于PostgreSQL高度兼容Oracle语法的数据库服务,为用户提供易于操作的迁移工具,兼容范围涵盖:PL/SQL、数据类型、高级函数、表分区等。 用户可以直接在阿里云购买PPAS进行使用。 如果在购买PPAS前,想试用一下...

PostgreSQL pipelinedb 流计算插件 - IoT应用 - 实时轨迹聚合

1 minute read

背景 IoT场景,车联网场景,共享单车场景,人的行为位点等,终端实时上报的是孤立的位点,我们需要将其补齐成轨迹。 例如共享单车,下单,开锁,生成订单,骑行,关闭订单,关锁。这个过程有一个唯一的订单号,每次上报的位点会包含时间,订单号,位置。 根据订单号,将点聚合为轨迹。 使用pipelinedb插件,可以实...

PostgreSQL datediff 日期间隔(单位转换)兼容SQL用法

2 minute read

背景 使用datediff,对时间或日期相减,得到的间隔,转换为目标单位(日、月、季度、年、小时、秒。。。等)的数值。 DATEDIFF ( datepart, {date|timestamp}, {date|timestamp} ) 周 select datediff(week,'2009-01-0...