Re: SSL issues since last summit

Tue, 10 Nov 2015 11:13:31 -0800 

Thanks Steven,

I added a slide to talk about your issues with scaling.

Susan

On 11/10/2015 11:34 AM, Steven R. Feltner wrote:

Susan...

I don't know if this is what you are looking for, but here is a list of SSL 
issues I have been working with:

- Memory consumption reading lots of SSL certs.  I compiled a separate 
openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it 
doesn’t mess with other packages relying on openssl.  This solved our memory 
leak and loads significantly faster than the openssl-1.0.1e.  With over 10,ooo 
certs, openssl-1.0.1e  was taking minutes to load, with openssl-1.0.2d it takes 
about 6 seconds for ATS to start the server.  
(https://issues.apache.org/jira/browse/TS-3554)

- qsort() in ATS:  I rewrote the qsort() in traffic server to use a median of 
three qsort.   The previous implementation would cause ATS to seg fault with as 
many certs as we load.  (https://issues.apache.org/jira/browse/TS-3867)

- glibc getaddrinfo() inventories every IP address on every network interface.  
Previously, we were configuring every cert with a dedicated IP.  We ended up 
with over 10k IPs bound to the same server.  Once we started using an SNI 
configuration in ssl_multicert.config, openssl started calling getaddrinfo() on 
every request.  There is a commit in glibc from 2011 
(https://sourceware.org/bugzilla/show_bug.cgi?id=12907) that addresses this, 
but it has not been pulled into RedHat or CentOS' releases of glibc.  I have 
bug reports filed for both of them 
(https://bugzilla.redhat.com/show_bug.cgi?id=1270950 and 
https://bugs.centos.org/view.php?id=0009589).  I have also been communicating 
with Johnny Hughes (package maintainer for CentOS) to see if we can get this 
commit expedited into the next glibc release for CentOS/RedHat.

- We recently updated our cipher suite to retire RC4.

Let me know if you are interested in more details...

Thanks,
Steven


-----Original Message-----
From: Susan Hinrichs [mailto:shinr...@network-geographics.com]
Sent: Monday, November 09, 2015 2:47 PM
To: dev@trafficserver.apache.org
Subject: SSL issues since last summit

Hi All,

I'm organizing a discussion of SSL issues in ATS since we last met.
Please let me know if you have been working on SSL issues that you feel
should be discussed.

Brian Geffon, I have your work on TS-3960 noted.  You can send me a line or
two about that issue.  And/or talk to the issue during the summit.

Thanks,
Susan

Reply via email to