we are running an application within a Tomcat 6.0.35 server on RHEL 5.7/i386 that queries our company's Active Directory using LDAP over SSL. One of the queries involves expanding a large distribution list. Since the upgrade from JDK 1.6.27 to 1.6.29 (or 1.6.30) the performance of this LDAP query has degraded dramatically, from about 8 seconds to more than 300 seconds. This only happens when encrypting the LDAP connection.
We are not sure how to debug this further. Which information would we need to provide to get to the root of this? I was thinking that perhaps the Tomcat output with the javax.net.debug=ssl,handshake property set for 1.6.27 and 1.6.29/30 would be sufficient?
With Java 1.6.29/30, the basic response/reply between the Tomcat and the AD server looks like:
1.6.0_29 is writing the request in two chunks rather than one, which might cause a small ciphertext size increase, and receiving (11920-5696) bytes less in reply for some unknown reason, very curious, but there is nothing there that would cause an 8/300 performance degradation, unless there is very significant time between e.g. the 32-byte write and the 160-byte write, and I don't see any reason why there would be. Is there any timing information in the AD logs? And are you sure it's exactly the same LDAP query? with the same results?
We are sure that our application generates the same LDAP queries, whether the LDAP connection is secured with TLS or not.
Unfortunately, I'm not sure how I could generate timing information. Just looking at the log, the queries/responses are generally a lot slower with 1.6.0_29, but that's just what our "eyeball mark I" tells us. Do you have any idea how we could generate timing data?
I have experienced this same issue with the performance of a utility library which queries an LDAP connection over SSL. In 1.6.0_27 it took 1-2 seconds to perform a common task with the library and now it takes somewhere around 50 seconds to perform the same task with 1.6.0_29/30. I found that if we replace the jre/lib/jsse.jar in the newer JDK with the one from 1.6.0_27 we can get around this issue so I wonder if there is another regression bug similar to this one: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725
The fix for 7157903 is now in the *7u6* developer preview (build 06) at http://jdk7.java.net/. This addressed http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7133330 , which is is the specific bug filed for LDAP.