Susan... I don't know if this is what you are looking for, but here is a list of SSL issues I have been working with:
- Memory consumption reading lots of SSL certs. I compiled a separate openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it doesn’t mess with other packages relying on openssl. This solved our memory leak and loads significantly faster than the openssl-1.0.1e. With over 10,ooo certs, openssl-1.0.1e was taking minutes to load, with openssl-1.0.2d it takes about 6 seconds for ATS to start the server. (https://issues.apache.org/jira/browse/TS-3554) - qsort() in ATS: I rewrote the qsort() in traffic server to use a median of three qsort. The previous implementation would cause ATS to seg fault with as many certs as we load. (https://issues.apache.org/jira/browse/TS-3867) - glibc getaddrinfo() inventories every IP address on every network interface. Previously, we were configuring every cert with a dedicated IP. We ended up with over 10k IPs bound to the same server. Once we started using an SNI configuration in ssl_multicert.config, openssl started calling getaddrinfo() on every request. There is a commit in glibc from 2011 (https://sourceware.org/bugzilla/show_bug.cgi?id=12907) that addresses this, but it has not been pulled into RedHat or CentOS' releases of glibc. I have bug reports filed for both of them (https://bugzilla.redhat.com/show_bug.cgi?id=1270950 and https://bugs.centos.org/view.php?id=0009589). I have also been communicating with Johnny Hughes (package maintainer for CentOS) to see if we can get this commit expedited into the next glibc release for CentOS/RedHat. - We recently updated our cipher suite to retire RC4. Let me know if you are interested in more details... Thanks, Steven > -----Original Message----- > From: Susan Hinrichs [mailto:shinr...@network-geographics.com] > Sent: Monday, November 09, 2015 2:47 PM > To: dev@trafficserver.apache.org > Subject: SSL issues since last summit > > Hi All, > > I'm organizing a discussion of SSL issues in ATS since we last met. > Please let me know if you have been working on SSL issues that you feel > should be discussed. > > Brian Geffon, I have your work on TS-3960 noted. You can send me a line or > two about that issue. And/or talk to the issue during the summit. > > Thanks, > Susan
