Switch from OpenSSL to Rustls
zachtyll opened this issue · 6 comments
I'd like to raise some discussion about moving from OpenSSL to Rustls.
Moving away from OpenSSL would make the project more portable, since you don't have to fiddle with OpenSSL's installation. Additionally, Rustls makes smart use of the type state pattern and rusts move semantics to improve security.
Last I checked, Rustls wasnt able to generate RSA keypairs.
https://github.com/LemmyNet/activitypub-federation-rust/blob/main/src/http_signatures.rs#L53
I do support the idea of moving away from OpenSSL, but there are better solutions than what you've suggested. Using a dedicated RSA library like what the RustCrypto guys made would probably be better for this project's use case.
Since signing messages takes up a significant amount of CPU time and we're signing millions of messages, there probably needs to be some benchmarking done to prevent large performance regression
Since signing messages takes up a significant amount of CPU time and we're signing millions of messages, there probably needs to be some benchmarking done to prevent large performance regression
I'm not familiar with Rust benchmarking in the slightest, but I decided to try and improvise, just to get an idea of what the differences in performance might be at a very basic level.
Taking from the examples for rsa and openssl provided by both of the respective projects, I made a quick thing checking how long it would take for both of them to:
- Create a private key
- Generate a public key from said private key
- Sign a 230 character string using the private key
I used /bin/time -v to get these stats. Here's the results:
rsa
Command being timed: "cargo run"
User time (seconds): 0.49
System time (seconds): 0.12
Percent of CPU this job got: 119%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.51
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 218176
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 0
Minor (reclaiming a frame) page faults: 42945
Voluntary context switches: 669
Involuntary context switches: 13
Swaps: 0
File system inputs: 0
File system outputs: 21872
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0
openssl
Command being timed: "cargo run"
User time (seconds): 0.30
System time (seconds): 0.12
Percent of CPU this job got: 102%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.41
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 178612
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 0
Minor (reclaiming a frame) page faults: 33667
Voluntary context switches: 214
Involuntary context switches: 15
Swaps: 0
File system inputs: 0
File system outputs: 11360
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0
Just from a quick glance, rsa is heavier on resources, and a bit slower than openssl too. The people who made rsa have said that they plan to do more optimization for it in the future - but for the time being, I don't see a real advantage to using rsa, other than moving away from OpenSSL (Which, while good, shouldn't be the primary reason for switching away from it)
If anyone wants to do better than me on the benchmarking, or has an alternate RSA library to check out, lemmie know.
make sure you use cargo run --release and add lto="thin" to [profile.release] in cargo, rust is really slow in dev mode
make sure you use cargo run --release and add lto="thin" to [profile.release] in cargo, rust is really slow in dev mode
Good catch. I redid the tests using what you suggested, and here's what I got:
rsa
Command being timed: "cargo run --release"
User time (seconds): 0.03
System time (seconds): 0.02
Percent of CPU this job got: 100%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.06
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 25468
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 0
Minor (reclaiming a frame) page faults: 2121
Voluntary context switches: 5
Involuntary context switches: 1
Swaps: 0
File system inputs: 0
File system outputs: 8
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0
openssl
Command being timed: "cargo run --release"
User time (seconds): 0.05
System time (seconds): 0.01
Percent of CPU this job got: 98%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.06
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 25212
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 0
Minor (reclaiming a frame) page faults: 2122
Voluntary context switches: 5
Involuntary context switches: 2
Swaps: 0
File system inputs: 0
File system outputs: 8
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0
Looks like, in production, they're mostly equivalent from a resource standpoint, with rsa being a little faster than openssl.
I'm glad to know I was wrong the first time around. Thanks for helping me out with this.