Bug #46546 Large performance hit when using YaSSL over OpenSSL
Submitted: 4 Aug 2009 16:02 Modified: 25 Jul 2019 11:20
Reporter: Andrew Hutchings Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0.83 OS:Any
Assigned to: CPU Architecture:Any

[4 Aug 2009 16:02] Andrew Hutchings
Description:
YaSSL is giving a large performance hit on opening connections at both the client and server side when compared to OpenSSL (my tests are using OpenSSL 0.9.8k-fips 25 Mar 2009).

Details below:
OpenSSL client and server:
real	0m51.429s
user	0m27.353s
sys	0m5.548s

real	0m51.277s
user	0m27.247s
sys	0m5.289s

real	0m51.639s
user	0m27.481s
sys	0m5.456s

YaSSL client and server:
real	2m51.871s
user	1m25.606s
sys	0m3.857s

real	2m51.842s
user	1m25.972s
sys	0m3.884s

real	2m50.845s
user	1m25.549s
sys	0m3.856s

OpenSSL client, YaSSL server:
real	1m53.367s
user	0m27.182s
sys	0m4.928s

real	1m53.048s
user	0m27.194s
sys	0m4.723s

real	1m53.793s
user	0m27.274s
sys	0m4.945s

YaSSL client, OpenSSL server:
real	1m49.484s
user	1m26.573s
sys	0m3.994s

real	1m48.299s
user	1m25.969s
sys	0m3.821s

real	1m47.735s
user	1m25.667s
sys	0m3.762s

How to repeat:
./configure --with-openssl --with-debug
and
./configure --with-yassl --with-debug

Test script run (switch yassl for openssl when testing openssl client):
#!/bin/bash
for i in {1..500}
do
mysql-5.0.83-yassl/bin/mysql --protocol=tcp --host=localhost --ssl --ssl-ca=newcerts/ca-cert.pem --ssl-cert=newcerts/client-cert.pem --ssl-key=newcerts/client-key.pem -uroot -e 'select * from mysql.user' > /dev/null
done

my.cnf is bare apart from the ssl cert settings.
[4 Aug 2009 16:57] Andrew Hutchings
Callgrind for YaSSL client and server

Attachment: callgrind.out.14693 (application/octet-stream, text), 389.11 KiB.

[4 Aug 2009 16:57] Andrew Hutchings
Callgrind for OpenSSL client when using YaSSL server

Attachment: callgrind.out.14786 (application/octet-stream, text), 295.74 KiB.

[4 Aug 2009 17:02] Andrew Hutchings
Running the last 2 attachments through kcachegrind shows that most of the time is taken with TaoCrypt's RecursiveMultiply
[7 Aug 2009 8:33] Sergei Golubchik
Andrew, could you submit a bug report to yassl ?
I suppose the only thing *we* can do is to build with openssl when possible.
[9 Aug 2009 7:09] Andrew Hutchings
My initial benchmarks show that CyaSSL is many times faster (RSA decryption is nearly 10x faster than YaSSL).  If licensing supports this I suggest looking into moving to this.  Especially since this would help with the C++/C issues with APIs.
[16 Mar 2012 9:27] MySQL Verification Team
http://www.yassl.com/yaSSL/Blog/Entries/2011/4/28_MySQL_SSL_Performance_Benchmarking.html
[25 Jul 2019 11:20] Erlend Dahl
We will remove the support for YaSSL in an upcoming release.