On Thu, Jun 07, 2018 at 02:47:01PM +0530, Mihir Shirali wrote:
> Hi Alexander,
>
> I have looked at the link. What I am looking for is an answer to the
> difference between maxsslconn and maxsslrate. The former does not result in
> CPU savings while the latter does.
That's expected :
- the former limits the number of concurrent connections : it will refuse
to allocate more SSL sessions than configured. The problem is that this
can only be done after the TCP connection is accepted, so extraneous
connections will be rejected instead of being delayed. This is used to
limit the amount of memory used by SSL.
- the latter limits the rate at which incoming connections are accepted on
all SSL listeners. Once the limit is reached, new connections will not be
accepted anymore until the average accept rate over the last sliding
second falls lower than this value. This effectively results in a
smoothing of the SSL traffic. For example if you accept only 200 conns/s
you'll ultimately see one connection accepted every 5 ms.
In both cases there are limitations though :
- with maxsslconn, some users will not be able to connect at all if the
limit is reached ;
- with maxsslrate, some users will experience a slowdown so that the max
rate you have configured is respected.
Overall you should use this with high enough values to protect your system
but not really for QoS.
Regards,
willy
