Performance Impact of SSL Encryption in MySQL: Comparison of OpenSSL and yaSSL

MySQL can be compiled with OpenSSL or yaSSL/wolfSSL, both supporting SSL connections; MySQL 5.7 uses yaSSL by default, while 8.0 uses OpenSSL. This report evaluates the performance impact of SSL encryption and compares the two libraries.

Test Content : Two test groups were created – an SSL connection group and a transparent encryption group – each exercising eleven sysbench OLTP scenarios (e.g., oltp_delete , oltp_insert , oltp_point_select , etc.).

Test Environment :

Install and initialize MySQL on an SSD data directory.

Generate a 2048‑bit RSA key pair and certificates using OpenSSL: # generate root key openssl genrsa 2048 > ca-key.pem # generate root certificate openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem # generate server CSR and key openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem # generate client CSR and key openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Start mysqld service.

Run sysbench commands (example for oltp_delete ): export LD_LIBRARY_PATH=/***/***/lib sysbench --tables=100 --table-size=4000000 --threads=50 --mysql-db=sbtest --mysql-user=root --time=300 oltp_delete prepare sysbench --tables=100 --table-size=4000000 --threads=50 --mysql-db=sbtest --mysql-user=root --time=300 oltp_delete run sysbench --tables=100 --table-size=4000000 --threads=50 --mysql-db=sbtest --mysql-user=root --time=300 oltp_delete cleanup

Collect I/O, CPU and perf data with iostat , perf top and pt‑pmp .

For the non‑SSL baseline, add skip_ssl=on to the MySQL configuration and restart.

Short‑connection test: run N processes each executing M MySQL commands (connect‑run‑disconnect). Example script runs 20 processes each performing 10 000 inserts & selects, then 100 processes each performing 1 000 connections.

SSL Connection Test Group – Results & Analysis :

In most scenarios (e.g., oltp_delete , oltp_insert , oltp_update_index ) the TPS difference between yaSSL and no‑SSL is under 5%.

Significant drops (26‑43%) occur in oltp_point_select , oltp_read_only and oltp_read_write , where perf profiling shows the hot spots are the encryption functions TaoCrypt::AES::encrypt and TaoCrypt::SHA::Transform .

OpenSSL generally outperforms yaSSL in the three high‑impact scenarios, though oltp_point_select shows an anomaly.

Short‑connection tests reveal that disabling SSL yields ~4.5× higher TPS with OpenSSL and ~7.6× with yaSSL.

Transparent Encryption Test Group – Results & Analysis :

Enabling yaSSL encryption reduces TPS by roughly 40% in write‑heavy workloads ( oltp_delete , oltp_insert , oltp_update_index , etc.) and about 20% in read‑only workloads.

Workloads such as oltp_read_write , select_random_points , select_random_ranges and bulk_insert show little difference.

CPU utilization rises with encryption, but I/O remains the primary bottleneck; disabling log‑bin improves TPS by ~10%.

For select_random_points and select_random_ranges , buffer‑pool hits are 100%, indicating no I/O and thus negligible encryption impact.

In bulk_insert , lock contention on InnoDB’s Adaptive Hash Index dominates; disabling it raises TPS to ~685 k.

Overall, OpenSSL encryption provides 20‑40% better performance than yaSSL and is often comparable to the no‑encryption baseline.

Conclusion :

SSL encryption introduces performance overhead, with yaSSL causing larger degradations than OpenSSL. OpenSSL 1.1‑based builds further reduce the impact compared to OpenSSL 1.0. In most MySQL workloads the penalty is modest, but certain point‑select and short‑connection scenarios suffer noticeable slow‑downs.