Hi, I have the same issue as Nil. I have set No_DEFAULT_CA and also did "generate-host-certificates=off". I see with these changes it takes more time reach 2GB but it does reach there (in about 6 hours for me with peak usage).
These were my settings. https_port 192.168.0.10:3129 generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept ssl-bump sslflags=NO_DEFAULT_CA https_port 192.168.0.10:3128 generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept ssl-bump sslflags=NO_DEFAULT_CA I did a 10 minutes test to compare the behavior in Squid 3.3 and squid 3.5. My test scenario was kept exactly same except for following diff in squid 3.5. acl exceptions ssl::server_name_regex "/etc/squid/exception_list.txt" acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all !exceptions ssl_bump splice step2 !exceptions Here are the results after 10mins - 1. When I didn't use NO_DEFAULT_CA and generate-host-certificates=on Squid 3.3 = 550MB Squid 3.5 = 1.1GB 2. When I use NO_DEFAULT_CA and generate-host-certificates=off Squid 3.3 = 402MB Squid 3.5 = 560MB So it looks like Squid 3.5 have higher mem usage than 3.3 in both cases which makes me wonder, is it that more CAs are being loaded into cache in 3.5 ? Also, is there any more change I can do to my config to arrest the memory growth to 2GB in 3.5 in my production system ? I got only 4Gb RAM. Thanks and Regards, Davis On Wed, Apr 26, 2017 at 8:38 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 26/04/17 10:53, Yuri Voinov wrote: > >> Ok, but how NO_DEFAULT_CA should help with this? >> > > It prevents OpenSSL copying that 1MB into each incoming client connections > memory. The CAs are only useful there when you have some of the global CAs > as root for client certificates - in which case you still only want to > trust the roots you paid for service and not all of them. > > Just something to try if there are huge memory issues with TLS/SSL > proxying. The default behaviour is fixed for Squid-4 with the config > options changes. But due to being a major surprise for anyone already > relying on global roots for client certs it remains a problem in 3.5. > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
