|
|
Log in / Subscribe / Register

Awesome article, some return from the field

Awesome article, some return from the field

Posted Jan 15, 2026 14:16 UTC (Thu) by Vorpal (guest, #136011)
In reply to: Awesome article, some return from the field by hkario
Parent article: The State of OpenSSL for pyca/cryptography

Doesn't sound like the regression is small:

> Several years ago, we filed a bug reporting that elliptic curve public key loading had regressed 5-8x between OpenSSL 1.1.1 and 3.0.7. The reason we had noticed this is that performance had gotten so bad that we’d seen it in our test suite runtimes. Since then, OpenSSL has improved performance such that it’s only 3x slower than it used to be.

And

> As a result of these sorts of regressions, when pyca/cryptography migrated X.509 certificate parsing from OpenSSL to our own Rust code, we got a 10x performance improvement relative to OpenSSL 3 (n.b., some of this improvement is attributable to advantages in our own code, but much is explainable by the OpenSSL 3 regressions). Later, moving public key parsing to our own Rust code made end-to-end X.509 path validation 60% faster — just improving key loading led to a 60% end-to-end improvement, that’s how extreme the overhead of key parsing in OpenSSL was.

I cannot reconcile that with your statement. And as they said, performance is not the only problem, the API is terrible too.

to post comments

Awesome article, some return from the field

Posted Jan 15, 2026 14:35 UTC (Thu) by pizza (subscriber, #46) [Link] (3 responses)

> Doesn't sound like the regression is small:
> I cannot reconcile that with your statement

The article you quote specifically is about 1.1.1 versus 3.0.7, whereas the comment you are replying to is about 3.5.x

(3.0.0 was released in September 2021, 3.5.0 was released in April 2025, and a significant chunk of the work during those 3.5 years was focused on improving performance)

Awesome article, some return from the field

Posted Jan 15, 2026 14:41 UTC (Thu) by randomguy3 (subscriber, #71063) [Link] (2 responses)

Since then, OpenSSL has improved performance such that it’s only 3x slower than it used to be.

It doesn't make clear what version is being referred to here, but it's implying a current version with "since then" - i would assume either 3.5 or 3.6.

Awesome article, some return from the field

Posted Jan 15, 2026 16:13 UTC (Thu) by hkario (subscriber, #94864) [Link]

pyca/cryptography folks have been complaining about openssl since the relase of 3.0, so, no, it's not a safe assumption

Awesome article, some return from the field

Posted Jan 15, 2026 18:54 UTC (Thu) by iabervon (subscriber, #722) [Link]

From the fact that the next paragraph is about them switching some non-cryptographic parsing operations to their own Rust code and getting performance better 1.1.1, I would assume that openssl 3.something was 3x slower than 1.1.1 when they switched, and they're not interested in profiling 3.5 or 3.6 unless they hear it's now significantly better than 1.1.1, not just about the same.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds