Situation

Let's say you use a specific ciphersuite, like TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 on your embedded platform.

When you benchmark the individual cipher and hash speeds you get the following performance:

  • AES-128-CBC: 321 Kb/s
  • SHA256-HMAC: 441 Kb/s

So you'd expect a reasonable performance speed for your SSL connection as well.

But when you benchmark the SSL/TLS data sending and receiving you are only getting a performance of around 9 Kb/s?

What's wrong?

Explanation

In the 1.2 branch, when the SSL debug module POLARSSL_DEBUG_C was enabled in config.h (see How do I configure PolarSSL), the debug messages were always formated regardless of whether they were printed or not.

When you disable the debug module, your performance will jump to about half the above speeds (as both AES and HMAC need to be performed). In our test it was 167 Kb/s. Quite a bit more than the original 9 Kb/s.

In the 1.3 branch, starting with the 1.3.7 release, the situation was improved by introducing debug_set_threshold(), that allowed to skip formatting of most messages that will not be displayed. However, some calls to snprintf() were still executed, until the 1.3.12 release.

In the 2.0 branch, the overhead of the SSL debug module should be negligible when mbedtls_debug_set_threshold( 0 ); is called. You may still want to disable MBEDTLS_DEBUG_C in config.h in order to reduce the footprint and get the last few percents of performance improvement.

Did this help?