Speeding Up SSL
You may have heard that secure TLS/SSL encryption must come at a cost to server performance, but LiteSpeed rejects that notion! Our implementation features the following speed-saving measures, all while continuing to keep security paramount.
-
TLS Record Direct
Rather than relying on third-party SSL libraries with their heavy, inflexible and bloated code path, LiteSpeed builds the TLS record directly. This minimizes data-copies, and allows the web server to directly control TLS record size in the process. -
TLS sendfile()
By implementing an efficient sendfile()-like API, and loading file data directly into the TLS record buffer, LiteSpeed minimizes deep copies and beats kernel TLS (kTLS) efficiency. In a comparison with rival web servers Apache and nginx, LiteSpeed Web Server’s throughput of file streams over TLS almost doubled! -
SSL Handshake Offloading
The SSL handshake is the most expensive operation in SSL. Event driven servers usually do the SSL handshake in the main event loop thread, But when there is a large number of incoming SSL connections, this method may cause the event loop to become heavily clogged. To utilize multi-core processors in a modern server, LiteSpeed Web Server offloads the handshake operation to separate worker threads. By avoiding blockage of the main event-loop, we improve SSL handshake performance. -
Dynamic TLS Record Size
LSWS dynamically adjusts TLS record size to deliver data in an optimal way under a variety of conditions. When it’s necessary to improve time to first byte, a small TLS record is used to deliver data quickly. When improving throughput is the goal, maximum sized TLS records are used to reduce TLS protocol overhead. -
TLS Record Buffering
In order to reduce system-call overhead and network-packet-level fragmentation, LSWS combines multiple TLS records together and sends them over one system call. -
TLS Certificate Compression
While the IETF is working on the TLS Certificate Compression standard, Google Chrome already supports it. LiteSpeed supports certificate compression, too, thereby reducing the amount of data that server and client exchange during the handshake.