Re: SSL issues since last summit

2015-11-10 Thread Bryan Call
The main round of benchmarking for SSL was done in Q1 and Q2 of this year to determine what our hardware requirements would be for a hardware refresh. The benchmarking was done on modern hardware, for our standards, and with the latest Cavium card at the time. I can pull up my numbers at the Summ

Re: SSL issues since last summit

2015-11-10 Thread Susan Hinrichs
I have a slide to talk about alternative SSL implementations (boringssl, s2n, and libressl). I know that Bryan has done some analysis on the bottlenecks of the openssl implementation as we use it. At a minimal we can launch into a discussion based on his and others performance analysis experi

Re: SSL issues since last summit

2015-11-10 Thread Miles Libbey
I'd think it would be interesting to talk about SSL performance. As I (probably don't) understand it, OpenSSL's TLS significantly impairs several aspects of ATS's performance.  Is there anything we can do about that? Would alternative TLS implementations (amazon's s2n; boringssl, anything else?)

Re: SSL issues since last summit

2015-11-10 Thread Susan Hinrichs
Thanks Steven, I added a slide to talk about your issues with scaling. Susan On 11/10/2015 11:34 AM, Steven R. Feltner wrote: Susan... I don't know if this is what you are looking for, but here is a list of SSL issues I have been working with: - Memory consumption reading lots of SSL certs.

RE: SSL issues since last summit

2015-11-10 Thread Steven R. Feltner
Susan... I don't know if this is what you are looking for, but here is a list of SSL issues I have been working with: - Memory consumption reading lots of SSL certs. I compiled a separate openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it doesn’t mess with other package

Re: SSL issues since last summit

2015-11-09 Thread Bryan Call
I wouldn't call it a requirement for blacklisting ciphers and more of a suggestion because of the "MAY" usage. However, it is a good feature to have. Appendix A . TLS 1.2 Cipher Suite Black List An HTTP/2 implementation MAY treat the negotiation

Re: SSL issues since last summit

2015-11-09 Thread Leif Hedstrom
> On Nov 9, 2015, at 11:46 AM, Susan Hinrichs > wrote: > > Hi All, > > I'm organizing a discussion of SSL issues in ATS since we last met. Please > let me know if you have been working on SSL issues that you feel should be > discussed. One thing that’s indirectly SSL related is more contro