I'm wondering about how one might achieve maximum throughput for say a web server
running openssl. I do not beleive this
post belongs in modssl because I think it is germain to the design of openssl itself.
Here is what I'm thinking. I beleive the negotiation phase of an ssl connection is
actually quite cpu time consuming. Often a
server will be written with many processes each handling many simultaneous connections
via select(). Now if threads are
used, the I beleive even if they are very light weight, that normally a programmer
would dispatch a thread to deal with a given
connection and this means that thread will block once the connection starts and
continue to be effectively blocked until the
connection has completed.
Contrast this to the case of multiple processes handling multiple connections via
select(). In this case, if a programmer simply
initiates a connection via openssl then I beleive most likely with the present design
that the process will in fact block
periodically, but also even when not blocked it will effectively be unable to listen
for new connections because the cpu will be
executing crypto code for a large percentage of the time and during this cpu intensive
phase for many many clocks the
process will not be in a position to execute select() and therefore it can not in fact
receive connections.
So here is what I'm thinking.
I think the code managing the sockets should be able to drop the negotiation request
into a fifo for execution either by a
separate cpu bound process runnining in the machine - or even write it out to a slave
cpu and let one or more slaves chew
away at the arithmetic etc. In this way, the server itself can be kept light weight
because several slaves might be attached in a
load balencing fashion in order to handle high throughput situations.
Now, I realise there can be a fairamount of overhead shipping a connection request out
to a dedicated slave processor that
might in fact be another machine. I'd like to ask the people working on openssl
whether they think designing the libarary to
easily accomodate such offloads makes sense? IE. will we lose tooo much time passing
the request out a fifo and reading
the answer back in when it has been processed... or will the overhead in passing the
request out through a NIC be relatively
minor compaired to the time the slave cpu needs to en/de-crypt what has come in?
Also, I am under the impression that in a multi-cpu computer that passing the cpu
intensive processing requests to multiple
dedicated processes is a very good idea because it allows the OS to dispatch each
slave process to a separate processor
and in this way the process group moinitoring the incomming connections can remain
very light weight and hense always
ready to receive a new connection. Conceptually we end up with a group of traffic
cops passing the heavy duty work onto a
group of slaves.
Comments please...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
