A patch with the most of the fixes requested by Amos and Alex is applied
to trunk as r14670.
I hope it is ok.
Regards,
Christos
PS. A special note:
On 05/15/2016 04:49 PM, Amos Jeffries wrote:
* files in src/security/ should not need wrapping in USE_OPENSSL
- referring to the #includes pulling in security/Handshake.h
- maybe others
The only code wrapped inside USE_OPENSSL was related to certificates
parsing. This code did not actually used by this patch, nor by any other
squid feature. So I just remove it.
It will be appear fixed in a future patch implements missing
certificates auto-download.
On 05/13/2016 08:07 PM, Christos Tsantilas wrote:
Currently, bumping peek mode at step2 and splice at step2, after the SNI
is received is very slow.
The most of the performance overhead comes from openSSL. However Squid
does not need openSSL to peek at SNI. It needs only to get client TLS
Hello message, analyse it to retrieve SNI and then splice at step2.
This patch:
- Postpone creation of the OpenSSL connection (i.e. SSL) object for
the accepted TCP connection until after we peek at SNI (after step2).
- Implements the Parser::BinaryTokenizer parser for extracting
byte-oriented fields from raw input
- Reimplement a new SSL/TLS handshake messages parser using the
BinaryTokenizer, and remove old buggy parsing code from ssl/bio.cc
- Adjust ConnStateData, Ssl::Bio, Ssl::PeerConnector classes to use
the new parsers and parsing results.
Some performance testing results using polygraph with 1000 robots and
1000 origin servers:
splice at | trunk | fast-sni
step1 100% 100%
step2 22% 69%
step3 16% 26%
This is a Measurement Factory project
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev