On 12/30/20 7:14 PM, Baptiste Jonglez wrote:
Following the discussion in http://lists.openwrt.org/pipermail/openwrt-devel/2020-November/032297.htmlThere are basically two options to implement persistent connections in opkg: 1) keep calling "wget", but pass the list of all packages to download at once. On the host, wget already implements persistent connections. For devices, we would need to implement persistent connections in uclient-fetch (which is what "wget" actually points to). 2) switch to using a HTTP library (libuclient or libcurl), so that we can keep some TCP/TLS/HTTP context between downloads. The first solution has a major drawback on devices: all packages would need to be downloaded to /tmp, which will consume memory. Currently, opkg processes packages individually, so only one package at a time is stored in /tmp. The second solution adds a new library dependency, and we need to make sure that it works both on the host and on targets. Currently, we don't make libuclient available to the host build system. We would need to build it for the host and link opkg statically against it (like it's done for libubox). Overall, I think the second solution makes more sense and is easier to integrate. I would go with libuclient because we already have it available on devices. Any thoughts? Thanks, Baptiste
Hi, I looked into performance problems of LuCI when using https some time ago.The slow part was the handshake, the normal stream cipher is relatively fast, even very slow devices should be able to do multiple MB/s.
On the server side the ECC handshake was much faster, I think I measured values like 1 second (RSA) vs. 0.3 seconds (ECC) for the handshake on a Lantiq MIPS 24Kec CPU with mbedtls, the RSA handshake was much faster (0.5 seconds) with openssl.
We should activate support for ECC certificates on https://downloads.openwrt.org, I think it is possible to use both RSA and ECC on the server and then decide based on what the client supports and wants. In OpenWrt we could use then ECC to authenticate the server. The crypto parts should already be there as we need ECDH for SAE in hostapd.
We could use TLS Session Resumption, the SSL libraries should support it, this way we can easily reuse the same session for the next download. Browsers do this to only do one SSL handshake and then have multiple TCP connections to the server to download the material in parallel.
Hauke
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
