The main round of benchmarking for SSL was done in Q1 and Q2 of this year
to determine what our hardware requirements would be for a hardware
refresh. The benchmarking was done on modern hardware, for our standards,
and with the latest Cavium card at the time.
I can pull up my numbers at the Summit. The short summary is that OpenSSL
has lock contention issues when running in a threaded server.
I spoke to the developers on the OpenSSL mailing list and I got a
suggestion on how to make FIPS faster (one of the locks). They have code
committed for the OpenSSL 1.0.3 release that would help with other locking
issues. I suggested hacks multiple times that we might be able to do to
make ATS faster to avoid locks, but didn’t get any response from the
developers of OpenSSL. My guess is that they didn’t know if it would be
safe or not.
-Bryan
On Nov 10, 2015, at 1:18 PM, Miles Libbey <mlib...@apache.org> wrote:
I'd think it would be interesting to talk about SSL performance. As I
(probably don't) understand it, OpenSSL's TLS significantly impairs several
aspects of ATS's performance. Is there anything we can do about that?
Would alternative TLS implementations (amazon's s2n; boringssl, anything
else?) be worth exploring? Are their requests we could make to the TLS
communities?
miles
On Tuesday, November 10, 2015 11:12 AM, Susan Hinrichs <
shinr...@network-geographics.com> wrote:
Thanks Steven,
I added a slide to talk about your issues with scaling.
Susan
On 11/10/2015 11:34 AM, Steven R. Feltner wrote:
Susan...
I don't know if this is what you are looking for, but here is a list of SSL
issues I have been working with:
- Memory consumption reading lots of SSL certs. I compiled a separate
openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it
doesn’t mess with other packages relying on openssl. This solved our
memory leak and loads significantly faster than the openssl-1.0.1e. With
over 10,ooo certs, openssl-1.0.1e was taking minutes to load, with
openssl-1.0.2d it takes about 6 seconds for ATS to start the server. (
https://issues.apache.org/jira/browse/TS-3554)
- qsort() in ATS: I rewrote the qsort() in traffic server to use a median
of three qsort. The previous implementation would cause ATS to seg fault
with as many certs as we load. (
https://issues.apache.org/jira/browse/TS-3867)
- glibc getaddrinfo() inventories every IP address on every network
interface. Previously, we were configuring every cert with a dedicated
IP. We ended up with over 10k IPs bound to the same server. Once we
started using an SNI configuration in ssl_multicert.config, openssl started
calling getaddrinfo() on every request. There is a commit in glibc from
2011 (https://sourceware.org/bugzilla/show_bug.cgi?id=12907) that addresses
this, but it has not been pulled into RedHat or CentOS' releases of glibc.
I have bug reports filed for both of them (
https://bugzilla.redhat.com/show_bug.cgi?id=1270950 and
https://bugs.centos.org/view.php?id=0009589). I have also been
communicating with Johnny Hughes (package maintainer for CentOS) to see if
we can get this commit expedited into the next glibc release for
CentOS/RedHat.
- We recently updated our cipher suite to retire RC4.
Let me know if you are interested in more details...
Thanks,
Steven
-----Original Message-----
From: Susan Hinrichs [mailto:shinr...@network-geographics.com]
Sent: Monday, November 09, 2015 2:47 PM
To: dev@trafficserver.apache.org
Subject: SSL issues since last summit
Hi All,
I'm organizing a discussion of SSL issues in ATS since we last met.
Please let me know if you have been working on SSL issues that you feel
should be discussed.
Brian Geffon, I have your work on TS-3960 noted. You can send me a line or
two about that issue. And/or talk to the issue during the summit.
Thanks,
Susan
