I have a slide to talk about alternative SSL implementations (boringssl,
s2n, and libressl).
I know that Bryan has done some analysis on the bottlenecks of the
openssl implementation as we use it. At a minimal we can launch into a
discussion based on his and others performance analysis experiences.
On 11/10/2015 3:18 PM, Miles Libbey wrote:
I'd think it would be interesting to talk about SSL performance. As I (probably
don't) understand it, OpenSSL's TLS significantly impairs several aspects of
ATS's performance. Is there anything we can do about that? Would alternative
TLS implementations (amazon's s2n; boringssl, anything else?) be worth
exploring? Are their requests we could make to the TLS communities?
miles
On Tuesday, November 10, 2015 11:12 AM, Susan Hinrichs
<shinr...@network-geographics.com> wrote:
Thanks Steven,
I added a slide to talk about your issues with scaling.
Susan
On 11/10/2015 11:34 AM, Steven R. Feltner wrote:
Susan...
I don't know if this is what you are looking for, but here is a list of SSL
issues I have been working with:
- Memory consumption reading lots of SSL certs. I compiled a separate
openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it
doesn’t mess with other packages relying on openssl. This solved our memory
leak and loads significantly faster than the openssl-1.0.1e. With over 10,ooo
certs, openssl-1.0.1e was taking minutes to load, with openssl-1.0.2d it takes
about 6 seconds for ATS to start the server.
(https://issues.apache.org/jira/browse/TS-3554)
- qsort() in ATS: I rewrote the qsort() in traffic server to use a median of
three qsort. The previous implementation would cause ATS to seg fault with as
many certs as we load. (https://issues.apache.org/jira/browse/TS-3867)
- glibc getaddrinfo() inventories every IP address on every network interface.
Previously, we were configuring every cert with a dedicated IP. We ended up
with over 10k IPs bound to the same server. Once we started using an SNI
configuration in ssl_multicert.config, openssl started calling getaddrinfo() on
every request. There is a commit in glibc from 2011
(https://sourceware.org/bugzilla/show_bug.cgi?id=12907) that addresses this,
but it has not been pulled into RedHat or CentOS' releases of glibc. I have
bug reports filed for both of them
(https://bugzilla.redhat.com/show_bug.cgi?id=1270950 and
https://bugs.centos.org/view.php?id=0009589). I have also been communicating
with Johnny Hughes (package maintainer for CentOS) to see if we can get this
commit expedited into the next glibc release for CentOS/RedHat.
- We recently updated our cipher suite to retire RC4.
Let me know if you are interested in more details...
Thanks,
Steven
-----Original Message-----
From: Susan Hinrichs [mailto:shinr...@network-geographics.com]
Sent: Monday, November 09, 2015 2:47 PM
To: dev@trafficserver.apache.org
Subject: SSL issues since last summit
Hi All,
I'm organizing a discussion of SSL issues in ATS since we last met.
Please let me know if you have been working on SSL issues that you feel
should be discussed.
Brian Geffon, I have your work on TS-3960 noted. You can send me a line or
two about that issue. And/or talk to the issue during the summit.
Thanks,
Susan
