dnsdist: Investigate and document OpenSSL 3.x performance

[rgacogne]

• Program: dnsdist
• Issue type: Feature request

Short description

The performance regression in OpenSSL 3.x is a very real problem that keeps showing up when DNSdist users upgrade to a more recent version of their distribution of choice. I'm afraid we cannot do anything to fix it, but we might at least be able to fix the pain by documenting it. Moving to GnuTLS is known to help in some cases. The problem is especially visible when a lot of threads / CPU cores are in use.

Related issues:

• https://github.com/openssl/openssl/issues/17064
• https://github.com/openssl/openssl/issues/17627
• https://github.com/haproxy/haproxy/issues/2454

On the same topic, it would be nice to investigate whether DNSdist can use https://github.com/aws/aws-lc or https://github.com/rustls/rustls-openssl-compat (although I'm not sure the latter would help, since it uses libcrypto internally).

[rgacogne]

Interesting read on this topic: https://www.haproxy.com/blog/state-of-ssl-stacks

In blunt terms: running OpenSSL 3.0.2 as shipped with Ubuntu 22.04 results in 1/100 of WolfSSL’s performance on identical hardware!

[cpu]

it would be nice to investigate whether DNSdist can use https://github.com/aws/aws-lc or https://github.com/rustls/rustls-openssl-compat (although I'm not sure the latter would help, since it uses libcrypto internally).

I suspect it would help, since AIUI the performance issues with OpenSSL 3.x are primarily in libssl and its locking strategy, and not the lower-level cryptography primitives.

There's also https://github.com/rustls/rustls-ffi if you're not tied to the OpenSSL API in particular and just want FFI to Rustls+aws-lc