TLS Handshake Latency from RSA Certificates

warning

latencyUpdated Jun 20, 2021

RSA certificate decryption is slow in Go, causing elevated TLS handshake latency (>50ms) that compounds request latency, especially for short-lived connections or high connection rate workloads.

Sources

MinIO Cluster Benchmark Methods and Toolswww.intel.com

Technologies:

MinIOSymptoms of this issue are visible in MinIO metrics and logs

minio.tls.handshake_duration_seconds.p99

minio.api.request_duration_seconds.p99

minio.api.connections_per_second

How to detect:

Measure TLS handshake duration separately from request duration. Alert when minio.tls.handshake_duration_seconds.p99 exceeds 50ms with RSA certificates, or when connection establishment latency dominates total request time for small object operations.

Recommended action:

Generate ECDSA-signed certificates using 'certgen -host <IPs>' instead of RSA. Replace existing certificates in ~/.minio/certs/ on all nodes and restart MinIO. Verify TLS handshake latency drops by 50-70%. For very high connection rates, consider TLS session resumption or connection pooling in clients.