I'd think it would be interesting to talk about SSL performance. As I (probably
don't) understand it, OpenSSL's TLS significantly impairs several aspects of
ATS's performance. Is there anything we can do about that? Would alternative
TLS implementations (amazon's s2n; boringssl, anything else?) be worth
exploring? Are their requests we could make to the TLS communities?
miles
On Tuesday, November 10, 2015 11:12 AM, Susan Hinrichs
<[email protected]> wrote:
Thanks Steven,
I added a slide to talk about your issues with scaling.
Susan
On 11/10/2015 11:34 AM, Steven R. Feltner wrote:
> Susan...
>
> I don't know if this is what you are looking for, but here is a list of SSL
> issues I have been working with:
>
> - Memory consumption reading lots of SSL certs. I compiled a separate
> openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it
> doesn’t mess with other packages relying on openssl. This solved our memory
> leak and loads significantly faster than the openssl-1.0.1e. With over
> 10,ooo certs, openssl-1.0.1e was taking minutes to load, with openssl-1.0.2d
> it takes about 6 seconds for ATS to start the server.
> (https://issues.apache.org/jira/browse/TS-3554)
>
> - qsort() in ATS: I rewrote the qsort() in traffic server to use a median of
> three qsort. The previous implementation would cause ATS to seg fault with
> as many certs as we load. (https://issues.apache.org/jira/browse/TS-3867)
>
> - glibc getaddrinfo() inventories every IP address on every network
> interface. Previously, we were configuring every cert with a dedicated IP.
> We ended up with over 10k IPs bound to the same server. Once we started
> using an SNI configuration in ssl_multicert.config, openssl started calling
> getaddrinfo() on every request. There is a commit in glibc from 2011
> (https://sourceware.org/bugzilla/show_bug.cgi?id=12907) that addresses this,
> but it has not been pulled into RedHat or CentOS' releases of glibc. I have
> bug reports filed for both of them
> (https://bugzilla.redhat.com/show_bug.cgi?id=1270950 and
> https://bugs.centos.org/view.php?id=0009589). I have also been communicating
> with Johnny Hughes (package maintainer for CentOS) to see if we can get this
> commit expedited into the next glibc release for CentOS/RedHat.
>
> - We recently updated our cipher suite to retire RC4.
>
> Let me know if you are interested in more details...
>
> Thanks,
> Steven
>
>> -----Original Message-----
>> From: Susan Hinrichs [mailto:[email protected]]
>> Sent: Monday, November 09, 2015 2:47 PM
>> To: [email protected]
>> Subject: SSL issues since last summit
>>
>> Hi All,
>>
>> I'm organizing a discussion of SSL issues in ATS since we last met.
>> Please let me know if you have been working on SSL issues that you feel
>> should be discussed.
>>
>> Brian Geffon, I have your work on TS-3960 noted. You can send me a line or
>> two about that issue. And/or talk to the issue during the summit.
>>
>> Thanks,
>> Susan
