PostgreSQL ssl ciphers performance 比较
背景
不同的SSL cipher加密复杂度,对CPU的开销都不一样。
上一篇BLOG介绍了PostgreSQL使用ssl加密客户端和服务端的数据传输.
本文将介绍一下各种cipher的开销。
查看支持的ciphers
查看openssl支持哪些ciphers :
pg93@db-172-16-3-33-> openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5
测试几个cipher的性能
首先是openssl的speed测试结果如下 :
pg93@db-172-16-3-33-> openssl speed
Doing md2 for 3s on 16 size blocks: 479806 md2's in 3.00s
Doing md2 for 3s on 64 size blocks: 248817 md2's in 3.00s
Doing md2 for 3s on 256 size blocks: 85124 md2's in 3.00s
Doing md2 for 3s on 1024 size blocks: 23434 md2's in 3.00s
Doing md2 for 3s on 8192 size blocks: 3017 md2's in 3.00s
Doing md4 for 3s on 16 size blocks: 8022778 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 6670890 md4's in 3.00s
Doing md4 for 3s on 256 size blocks: 4438992 md4's in 3.00s
Doing md4 for 3s on 1024 size blocks: 1872622 md4's in 3.00s
Doing md4 for 3s on 8192 size blocks: 296091 md4's in 3.00s
Doing md5 for 3s on 16 size blocks: 6421765 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 5081238 md5's in 3.00s
Doing md5 for 3s on 256 size blocks: 3079671 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1214852 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 180510 md5's in 3.00s
Doing hmac(md5) for 3s on 16 size blocks: 7510596 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 64 size blocks: 5770088 hmac(md5)'s in 3.01s
Doing hmac(md5) for 3s on 256 size blocks: 3326348 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 1024 size blocks: 1232492 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 8192 size blocks: 180013 hmac(md5)'s in 3.00s
Doing sha1 for 3s on 16 size blocks: 6738377 sha1's in 3.00s
Doing sha1 for 3s on 64 size blocks: 4877440 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 2841673 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 1037506 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 149783 sha1's in 3.00s
Doing sha256 for 3s on 16 size blocks: 5269102 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 3170549 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 1455054 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 461517 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 62664 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 3701251 sha512's in 3.00s
Doing sha512 for 3s on 64 size blocks: 3736901 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 1721261 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 659906 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 97821 sha512's in 3.01s
Doing rmd160 for 3s on 16 size blocks: 4712557 rmd160's in 3.00s
Doing rmd160 for 3s on 64 size blocks: 3124213 rmd160's in 3.00s
Doing rmd160 for 3s on 256 size blocks: 1557365 rmd160's in 3.00s
Doing rmd160 for 3s on 1024 size blocks: 514426 rmd160's in 3.00s
Doing rmd160 for 3s on 8192 size blocks: 70999 rmd160's in 3.00s
Doing rc4 for 3s on 16 size blocks: 36912081 rc4's in 3.00s
Doing rc4 for 3s on 64 size blocks: 10173699 rc4's in 3.00s
Doing rc4 for 3s on 256 size blocks: 2590258 rc4's in 3.00s
Doing rc4 for 3s on 1024 size blocks: 649631 rc4's in 3.00s
Doing rc4 for 3s on 8192 size blocks: 81440 rc4's in 3.00s
Doing des cbc for 3s on 16 size blocks: 8996392 des cbc's in 3.00s
Doing des cbc for 3s on 64 size blocks: 2299443 des cbc's in 3.00s
Doing des cbc for 3s on 256 size blocks: 576966 des cbc's in 3.00s
Doing des cbc for 3s on 1024 size blocks: 144407 des cbc's in 3.00s
Doing des cbc for 3s on 8192 size blocks: 18283 des cbc's in 3.00s
Doing des ede3 for 3s on 16 size blocks: 3522159 des ede3's in 3.00s
Doing des ede3 for 3s on 64 size blocks: 897137 des ede3's in 3.00s
Doing des ede3 for 3s on 256 size blocks: 225932 des ede3's in 3.00s
Doing des ede3 for 3s on 1024 size blocks: 56582 des ede3's in 3.00s
Doing des ede3 for 3s on 8192 size blocks: 7077 des ede3's in 3.00s
Doing aes-128 cbc for 3s on 16 size blocks: 15616486 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 64 size blocks: 4235413 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1086541 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 273358 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 34218 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 13256583 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 3553825 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 908465 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 227746 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 8192 size blocks: 28490 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 11483152 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 3060960 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 778693 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 195729 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 8192 size blocks: 24514 aes-256 cbc's in 3.00s
Doing aes-128 ige for 3s on 16 size blocks: 15576011 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 64 size blocks: 4119671 aes-128 ige's in 3.01s
Doing aes-128 ige for 3s on 256 size blocks: 1035491 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 1024 size blocks: 260456 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 8192 size blocks: 32541 aes-128 ige's in 3.01s
Doing aes-192 ige for 3s on 16 size blocks: 13175348 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 64 size blocks: 3456196 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 256 size blocks: 873093 aes-192 ige's in 3.01s
Doing aes-192 ige for 3s on 1024 size blocks: 218713 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 8192 size blocks: 27313 aes-192 ige's in 3.00s
Doing aes-256 ige for 3s on 16 size blocks: 11436763 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 64 size blocks: 2986768 aes-256 ige's in 3.00s
Doing aes-256 ige for 3s on 256 size blocks: 750692 aes-256 ige's in 3.01s
Doing aes-256 ige for 3s on 1024 size blocks: 149847 aes-256 ige's in 2.39s
Doing aes-256 ige for 3s on 8192 size blocks: 17205 aes-256 ige's in 2.16s
Doing rc2 cbc for 3s on 16 size blocks: 3702966 rc2 cbc's in 2.09s
Doing rc2 cbc for 3s on 64 size blocks: 952118 rc2 cbc's in 2.06s
Doing rc2 cbc for 3s on 256 size blocks: 293392 rc2 cbc's in 2.62s
Doing rc2 cbc for 3s on 1024 size blocks: 56146 rc2 cbc's in 1.91s
Doing rc2 cbc for 3s on 8192 size blocks: 7284 rc2 cbc's in 2.03s
Doing blowfish cbc for 3s on 16 size blocks: 11804774 blowfish cbc's in 2.16s
Doing blowfish cbc for 3s on 64 size blocks: 3157527 blowfish cbc's in 2.22s
Doing blowfish cbc for 3s on 256 size blocks: 1047711 blowfish cbc's in 2.69s
Doing blowfish cbc for 3s on 1024 size blocks: 240092 blowfish cbc's in 2.47s
Doing blowfish cbc for 3s on 8192 size blocks: 24770 blowfish cbc's in 2.06s
Doing cast cbc for 3s on 16 size blocks: 9629452 cast cbc's in 2.06s
Doing cast cbc for 3s on 64 size blocks: 2581362 cast cbc's in 2.07s
Doing cast cbc for 3s on 256 size blocks: 771713 cast cbc's in 2.45s
Doing cast cbc for 3s on 1024 size blocks: 219380 cast cbc's in 2.80s
Doing cast cbc for 3s on 8192 size blocks: 29731 cast cbc's in 3.01s
Doing 512 bit private rsa's for 10s: 85584 512 bit private RSA's in 10.01s
Doing 512 bit public rsa's for 10s: 922993 512 bit public RSA's in 10.01s
Doing 1024 bit private rsa's for 10s: 17824 1024 bit private RSA's in 10.01s
Doing 1024 bit public rsa's for 10s: 325046 1024 bit public RSA's in 10.01s
Doing 2048 bit private rsa's for 10s: 2894 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 96519 2048 bit public RSA's in 10.01s
Doing 4096 bit private rsa's for 10s: 413 4096 bit private RSA's in 10.02s
Doing 4096 bit public rsa's for 10s: 26023 4096 bit public RSA's in 10.01s
Doing 512 bit sign dsa's for 10s: 91259 512 bit DSA signs in 10.01s
Doing 512 bit verify dsa's for 10s: 87942 512 bit DSA verify in 10.00s
Doing 1024 bit sign dsa's for 10s: 19801 1024 bit DSA signs in 10.00s
Doing 1024 bit verify dsa's for 10s: 16908 1024 bit DSA verify in 10.00s
Doing 2048 bit sign dsa's for 10s: 10043 2048 bit DSA signs in 10.00s
Doing 2048 bit verify dsa's for 10s: 8468 2048 bit DSA verify in 10.01s
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Mon Mar 4 16:16:11 EST 2013
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md2 2558.97k 5308.10k 7263.91k 7998.81k 8238.42k
mdc2 0.00 0.00 0.00 0.00 0.00
md4 42788.15k 142312.32k 378793.98k 639188.31k 808525.82k
md5 34249.41k 108399.74k 262798.59k 414669.48k 492912.64k
hmac(md5) 40056.51k 122686.26k 283848.36k 420690.60k 491555.50k
sha1 35938.01k 104052.05k 242489.43k 354135.38k 409007.45k
rmd160 25133.64k 66649.88k 132895.15k 175590.74k 193874.60k
rc4 196864.43k 217038.91k 221035.35k 221740.71k 222385.49k
des cbc 47980.76k 49054.78k 49234.43k 49290.92k 49924.78k
des ede3 18784.85k 19138.92k 19279.53k 19313.32k 19324.93k
idea cbc 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00
rc2 cbc 28348.07k 29580.37k 28667.31k 30101.31k 29394.35k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00
blowfish cbc 87442.77k 91027.81k 99707.81k 99536.12k 98502.83k
cast cbc 74791.86k 79810.23k 80636.13k 80230.40k 80915.73k
aes-128 cbc 83011.22k 90355.48k 92718.17k 93306.20k 93437.95k
aes-192 cbc 70701.78k 75814.93k 77522.35k 77737.30k 77796.69k
aes-256 cbc 61243.48k 65300.48k 66448.47k 66586.88k 66939.56k
camellia-128 cbc 0.00 0.00 0.00 0.00 0.00
camellia-192 cbc 0.00 0.00 0.00 0.00 0.00
camellia-256 cbc 0.00 0.00 0.00 0.00 0.00
sha256 28101.88k 67638.38k 124164.61k 157531.14k 171114.50k
sha512 19740.01k 79720.55k 146880.94k 225247.91k 266229.11k
aes-128 ige 83072.06k 87594.33k 88361.90k 88902.31k 88563.41k
aes-192 ige 70268.52k 73732.18k 74256.41k 74654.04k 74582.70k
aes-256 ige 60793.42k 63717.72k 63846.23k 64202.23k 65251.56k
sign verify sign/s verify/s
rsa 512 bits 0.000117s 0.000011s 8549.9 92207.1
rsa 1024 bits 0.000562s 0.000031s 1780.6 32472.1
rsa 2048 bits 0.003459s 0.000104s 289.1 9642.3
rsa 4096 bits 0.024262s 0.000385s 41.2 2599.7
sign verify sign/s verify/s
dsa 512 bits 0.000110s 0.000114s 9116.8 8794.2
dsa 1024 bits 0.000505s 0.000591s 1980.1 1690.8
dsa 2048 bits 0.000996s 0.001182s 1004.3 846.0
数据库测试环境 :
PostgreSQL 9.3 beta1
测试表
digoal=# create table test(id serial primary key, info text, crt_time timestamp);
CREATE TABLE
测试数据
digoal=# insert into test (info,crt_time) select md5(random()::text),clock_timestamp() from generate_series(1,1000000);
INSERT 0 1000000
测试脚本
pg92@db-172-16-3-39-> cat sel.sql
\setrandom id 1 1000000
select * from test where id=:id;
1. hostnossl测试结果
pg93@db-172-16-3-33-> vi pg_hba.conf
#hostssl all all 0.0.0.0/0 md5
hostnossl all all 0.0.0.0/0 md5
pg_ctl restart -m fast
pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
Some psql features might not work.
Type "help" for help.
digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 3798056
tps = 63292.379368 (including connections establishing)
tps = 63337.244048 (excluding connections establishing)
2. hostssl 测试,
cipher=RC4-SHA测试结果 :
修改postgresql.conf ,
ssl_ciphers = 'RC4-SHA:DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'
修改pg_hba.conf
hostssl all all 0.0.0.0/0 md5
#hostnossl all all 0.0.0.0/0 md5
重启数据库.
测试结果 :
pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
Some psql features might not work.
SSL connection (cipher: RC4-SHA, bits: 128)
Type "help" for help.
digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 3354725
tps = 55911.266097 (including connections establishing)
tps = 55940.407826 (excluding connections establishing)
cipher=AES128-SHA测试结果 :
pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
Some psql features might not work.
SSL connection (cipher: AES128-SHA, bits: 128)
Type "help" for help.
digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 2821590
tps = 47025.481115 (including connections establishing)
tps = 47050.672479 (excluding connections establishing)
cipher=DHE-RSA-AES256-SHA测试结果 :
pg92@db-172-16-3-39-> psql -h 172.16.3.33 -p 1999 -U postgres digoal
psql (9.2beta1, server 9.3devel)
WARNING: psql version 9.2, server version 9.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
digoal=# \q
pg92@db-172-16-3-39-> pgbench -M prepared -n -f ./sel.sql -h 172.16.3.33 -p 1999 -U postgres -T 60 -c 16 -j 4 digoal
transaction type: Custom query
scaling factor: 1
query mode: prepared
number of clients: 16
number of threads: 4
duration: 60 s
number of transactions actually processed: 2784774
tps = 46411.467433 (including connections establishing)
tps = 46465.745880 (excluding connections establishing)
从测试数据来看, 使用ssl后性能下降非常明显, 特别是当瓶颈在CPU时.