OpenSSL 3.x has serious performance problems — and nobody seems to be fixing them. On modern hardware, it suffers major slowdowns (in some cases up to 99% vs 1.1.1) due to heavy locking.
Performance is critical to our team, so we needed to figure this out. We spent a ton of time digging into this and ran tests with HAProxy and compared libraries like AWS-LC, WolfSSL, and LibreSSL to see what actually works well at scale. The results are pretty rough for OpenSSL 3.x, mostly due to locking issues. While we found some ways to improve performance, the underlying architecture of the 3.x version is not built for multi-threaded applications. We found that other libraries are much more performant, though they have their own issues.
If you're working on high-performance infrastructure and wondering which TLS library to use (or avoid), this post lays out what’s going on and what your options are.
Performance is critical to our team, so we needed to figure this out. We spent a ton of time digging into this and ran tests with HAProxy and compared libraries like AWS-LC, WolfSSL, and LibreSSL to see what actually works well at scale. The results are pretty rough for OpenSSL 3.x, mostly due to locking issues. While we found some ways to improve performance, the underlying architecture of the 3.x version is not built for multi-threaded applications. We found that other libraries are much more performant, though they have their own issues.
If you're working on high-performance infrastructure and wondering which TLS library to use (or avoid), this post lays out what’s going on and what your options are.