The following report is covering performance evaluation of the currently available OpenSSL releases when they are used by MySQL in CPU-intensive OLTP workloads. However, the main focus is on OpenSSL-3.5.5, which will be used by default in the next MySQL releases.

Preface

There is a long historical background related to OpenSSL performance issues observed along the last 6 years : starting by dramatic scalability bottleneck in OpenSSL-1.0, which then fortunately was fixed in OpenSSL-1.1.1, followed by massive regression in OpenSSL-3.0, and finally progressive work of OpenSSL Team to make 3.x series more closer to OpenSSL-1.1.1 performance levels..

The main "take away" from the past investigations is about how to evaluate any OpenSSL release in the shortest possible time duration, but still with a guarantee of the fair and representative results :

  • the test case must be intensively CPU-bound
  • it should execute very short and fast SQL queries
  • (longer / slower queries will hide SSL overhead)
  • additional test case should cover re-connect event
  • (opening SSL connection is costly, while many MySQL users still have Production workloads with frequent re-connects, similar to PHP-pages)
  • and then, to evaluate "pure impact" of SSL we should execute test workloads locally on the same hosts, using UNIX-socket or IP-port for user connections
  • after what replay the same over real Network to obtain more real-life representative results

To cover exposed above conditions we can limit investigation to the following 2 tests :

  • Sysbench Point-SELECTs : the fastest OLTP Read-Only workload based on Primary Keys (PK) look-ups. Running extremely fast, and depending on available Hardware, may scale to 6M QPS or more (6M QPS is the current biggest QPS number obtained as of today) -- and 1M QPS for the biggest BM.48 server involved in the following testing.

  • Sysbench Re-Connect SELECTs : the same test workload as above, except after each SELECT query we're re-connecting to MySQL Server ! -- such test workload will be extremely stressful for SSL and will fairly evaluate connection initiation overhead.

NOTE : in both workloads were not using prepared statements to make evaluation more representative (while in re-connect test case using prepared statements is just useless, since it'll be dropped on each re-connect)..

OpenSSL releases

To complete the full puzzle about SSL overhead as of today, we'll use the following OpenSSL releases :

  • OpenSSL-1.1.1L -- the most efficient and the fastest OpenSSL until now
  • OpenSSL-3.0.19 -- the latest in 3.0 series, was the worse in the past, LTS
  • OpenSSL-3.3.6
  • OpenSSL-3.4.4
  • OpenSSL-3.5.5 -- the target release, the latest LTS
  • OpenSSL-3.6.1 -- the current "development" release

Test Systems

In the current evaluation we're using the following systems to execute test workloads :

  • BM.48 : 48cores-HT Intel, 192GB RAM, OL7
  • BM.44 : 44cores-HT Intel, 512GB RAM, OL7
  • OCI VM X9.16 : 16cores-HT Intel, 256GB RAM, OL8
  • OCI VM E4.16 : 16cores-HT AMD E4, 256GB RAM, OL8

and when Over-Network tests are executed, we're using :

  • BM.44 as "client" for BM.48 used as "server"
  • X9.8 VM as "client" for X9.16 VM used as "server"
  • E4.8 VM as "client" for E4.16 VM used as "server"

About Test Results

During the tests we're also executing the same workloads with SSL=on (SSL1) and with SSL=off (SSL0) to understand overall SSL impact. However, sometimes the gap between SSL0 and SSL1 is so big, that you'll no more see any difference between OpenSSL releases if all the results are represented on the same graph !

Here are few examples :

  • the first graph is about QPS numbers obtained on BM.48 server with MySQL 9.7 (trunk) on point-selects workload
  • and the second graph is about re-connect QPS results

And if on the first graph the gap between SSL0 and SSL1 is not too big, we cannot say the same about the second graph, right ? -- and now the same, but over-Network :

  • the gaps are lower now due Network overhead
  • but on re-connects it's still significant

And that's why on all the following graphsI'll only show the results with SSL=on (SSL1).

NOTE : hope you're not having any trouble in reading graphs legend, and translate for ex. "SSL1-ssl111L" into "SSL=on, OpenSSL-1.1.1L" result, and "SSL1-ssl3019" into "SSL=on, OpenSSL-3.0.19", and so on..

Point-SELECTs Workload | Local-IP

The following are the test results obtained on Point-SELECTs workload executed locally on each server and using local IP-port (loopback 127.0.0.1) :

MySQL 9.7 (trunk)

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.4.9

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.0.46

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

Point-SELECTs Workload | Over-Network

The following are the test results obtained on Point-SELECTs workload executed Over-Network :

MySQL 9.7 (trunk)

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.4.9

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.0.46

BM.48

OCI VM X9.16

OCI VM E4.16

Re-Connects SELECTs Workload | Local-IP

The following are the test results obtained on Re-Connect SELECTs workload executed locally on each server and using local IP-port (loopback 127.0.0.1) :

MySQL 9.7 (trunk)

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.4.9

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.0.46

BM.44

BM.48

OCI VM X9.16

OCI VM E4.16

Re-Connects SELECTs Workload | Over-Network

The following are the test results obtained on Re-Connect SELECTs workload executed Over-Network :

MySQL 9.7 (trunk)

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.4.9

BM.48

OCI VM X9.16

OCI VM E4.16

MySQL 8.0.46

BM.48

OCI VM X9.16

OCI VM E4.16

SUMMARY

  • OpenSSL-1.1.1 is still the best release delivered until now in OpenSSL family
  • OpenSSL-3.5.5 is doing fine, definitively better than previously used OpenSSL-3.0
  • OpenSSL-3.6.1 is giving some hope to see more performance improvement in the next releases, and maybe one day become at least not worse than OpenSSL-1.1.1 ;-))

Thank you for using MySQL !!!