TLS v1.3 performance compared to TLS v1.2

chendo -

I was doing some certificate maintenance on our cluster and decided it had been a while since I ran an SSL Test, so I ran it against our edge cluster and it gave us a shiny A+.

However, I noticed that our max TLS version was 1.2 rather than the newer and faster 1.3, as 1.3 removes an extra RTT for a faster handshake. Turns out the version of nginx-ingress we were using was still using 1.2 only as default. A quick ConfigMap change later, and we were on 1.3.

I wanted to know what the performance improvement was for such a simple change, so I did some fairly rudimentary tests with time curl --resolve <host>:<port>:<ip> --tls-max <version>  against an endpoint being served by a Lua script inside nginx itself.

From Australia to our Canadian edge node (217ms away), which represents higher latency setups (either cellular connections, or lack of closer edge termination nodes):

  • TLSv1.2:  ~929ms, 3.4x RTT
  • TLSv1.3: ~707ms, 2.6x RTT

From Australia to Australia (17ms away)

  • TLSv1.2: ~112ms, 6.5x RTT
  • TLSv1.3: ~95ms , 5.5x RTT

Fairly easy performance win if you haven't enabled TLS v1.3 already!