Tomcat Native / OpenSSL in Spring Boot 2.0

Craig Rueda
Apr 6, 2018 · 5 min read

The Solution(s)

NGINX sidecar

Tomcat Native + OpenSSL

Tomcat Native Setup (OSX)

$ brew install openssl apr
$ ./configure --with-ssl=/usr/local/Cellar/openssl/1.0.2o
$ cp ./.libs/* /usr/lib/tcnative

Spring Boot Setup

# This allows Tomcat to find the native libs 
-Djava.library.path=/usr/lib/tcnative
Loaded APR based Apache Tomcat Native library [1.2.16] using APR version [1.6.3]. 
APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
OpenSSL successfully initialized [OpenSSL 1.0.2o 27 Mar 2018]
...
Starting ProtocolHandler ["https-openssl-apr-8080"] Tomcat started on port(s): 8080 (https) with context path ''

The nitty-gritty (performance)

$ echo "GET https://localhost:8080/sample" | vegeta attack -duration=60s -keepalive=false -insecure -rate=100 | tee results.bin | vegeta report

For the impatient

Baseline HTTP (no TLS)

$ java -Dserver.ssl.enabled=false -Xms4g -Xmx4g -XX:+UseG1GC -jar target/tcnativeapp-0.0.1-SNAPSHOT.jar
Requests [total, rate] 6000, 100.02 
Duration [total, attack, wait] 59.99225804s, 59.989998s, 2.26004ms
Latencies [mean, 50, 95, 99, max] 2.643921ms, 2.832854ms, 3.159403ms, 3.351027ms, 5.25038ms
Bytes In [total, mean] 12000, 2.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 100.00%
Status Codes [code:count] 200:6000

JSSE

$ java -Dserver.ssl.aprEnabled=false -Dserver.ssl.keyStore=`pwd`/target/keystore.jks -Dserver.ssl.keyPassword=password -Xms4g -Xmx4g -XX:+UseG1GC -jar target/tcnativeapp-0.0.1-SNAPSHOT.jar
Requests [total, rate] 6000, 100.02 
Duration [total, attack, wait] 59.999126055s, 59.989999s, 9.127055ms
Latencies [mean, 50, 95, 99, max] 8.958652ms, 8.920439ms, 10.156994ms, 11.644574ms, 27.745671ms
Bytes In [total, mean] 12000, 2.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 100.00%
Status Codes [code:count] 200:6000

Tomcat Native + OpenSSL

$ java -Dserver.ssl.certificateFile=`pwd`/target/cert.pem -Dserver.ssl.certificateKeyFile=`pwd`/target/key.pem -Djava.library.path=/usr/local/tcnative -Xms4g -Xmx4g -XX:+UseG1GC -jar target/tcnativeapp-0.0.1-SNAPSHOT.jar
Requests [total, rate] 6000, 100.02 
Duration [total, attack, wait] 59.99576466s, 59.989998s, 5.76666ms
Latencies [mean, 50, 95, 99, max] 5.115931ms, 5.31726ms, 5.897839ms, 6.222025ms, 21.364298ms
Bytes In [total, mean] 12000, 2.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 100.00%
Status Codes [code:count] 200:6000

NGINX as reverse proxy

$ java -Dserver.ssl.enabled=false -Xms4g -Xmx4g -XX:+UseG1GC -jar target/tcnativeapp-0.0.1-SNAPSHOT.jar
Requests [total, rate] 6000, 100.02 
Duration [total, attack, wait] 59.995316001s, 59.989999s, 5.317001ms
Latencies [mean, 50, 95, 99, max] 5.364559ms, 5.634727ms, 6.371684ms, 6.789601ms, 26.711814ms
Bytes In [total, mean] 12000, 2.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 100.00%
Status Codes [code:count] 200:6000

Conclusion

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade