SSL client traffic severely limited to ~30 MB/s when using NSURLSession, curl

Originator:dimitribouniol
Number:rdar://36824755 Date Originated:2018-01-24
Status:Open Resolved:
Product:macOS > Networking Product Version:10.13.2
Classification:Bug Reproducible:Always
 
Summary:
TLS traffic is severely constrained on macOS 10.13, limited to around ~30-40 MB/s rather than using the full available bandwidth (typically ~110 MB/s when using gigabit ethernet). This affects most of Apple's own apps including Safari, built in classes like NSURLSession, and even curl. This is a regression from 10.12, where transfers where able to use the full available bandwidth (to the best of my memory), and seems to stem from the version of LibreSSL/BoringSSL used internally by different tools.

This is unfortunate as it limits our ability to use the built in networking libraries to deliver high performance transfers on gigabit and faster networks. Worse, we have tried using curl to perform comparison transfers, and have noticed that building the same version of curl from scratch with openssl alleviates all of these issues, something we can't do with NSURLSession. This affects services running on the same machine using TLS over TCP, or other servers on the same gigabit network. 

See also https://github.com/h2o/h2o/issues/1091#issuecomment-262706102 for some speed comparisons between library versions.

Steps to Reproduce:
Setup an nginx or other HTTPS server on the local machine. Connect to it using curl ($ curl -vk https://localhost/hugefile.bin > ./hugedownload.bin). Notice HTTPS speeds are strangely low considering we are connecting to ourselves.

Expected Results:
Faster than gigabit speeds since we are connecting to ourself.

Actual Results:
~30-40 MB/s, or roughly a 3rd of a gigabit connection.

Version/Build:
macOS 10.13.2

Configuration:
Mac mini latest generation, 10.13.2

nginx sample configuration:
```
    server {
        listen       8081;
        server_name  localhost;
	root /Users/localadmin/nginxtest;

	ssl on;

        ssl_certificate      /usr/local/etc/nginx/ssl/cert.crt;
        ssl_certificate_key  /usr/local/etc/nginx/ssl/key.key;

	ssl_protocols TLSv1.2;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    }
```

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!