Dan Kenigsberg has submitted this change and it was merged. Change subject: Implement SSL session cache ......................................................................
Implement SSL session cache We are currently implementing SSL for the XML-RPC communications with the standard Python "ssl" module. Unfortunately this module uses OpenSSL in such a way that a new OpenSSL context object is created for each client connection. This means that OpenSSL can't reuse the session cache that is stored in the context object, so the heavy part of the SSL handshake (asymmetric encryption) is performed for each connection. In addition, as we use HTTP 1.0, this also means that we use one connection per request, and thus one handshake per request. This is a potential performance problem in the VDSM side and a huge performance problem in the engine side: when the number of hosts managed by the engine grows the use of CPU can grow to a point where almost all the CPU is used for SSL handshakes. This patch uses the Python M2Crypto.SSL module and creates an OpenSSL context object associated to the server socket. This context object is where OpenSSL stores the cached sessions information. Instead of creating a context object for each client socket the context object already created for the server socket is reused. This means that the cached sessions are also reused. This session reusing greatly reduces the amount of CPU used for handshakes. Bug-Url: https://bugzilla.redhat.com/857035 Change-Id: Ic75adee4070b415b8855af1f2ea289825496fbc1 Signed-off-by: Juan Hernandez <[email protected]> --- M tests/Makefile.am A tests/sslTests.py M vdsm.spec.in M vdsm/SecureXMLRPCServer.py 4 files changed, 396 insertions(+), 14 deletions(-) Approvals: Alon Bar-Lev: Looks good to me, but someone else must approve Juan Hernandez: Verified oVirt Jenkins CI Server: Verified Dan Kenigsberg: Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/8123 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic75adee4070b415b8855af1f2ea289825496fbc1 Gerrit-PatchSet: 11 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Juan Hernandez <[email protected]> Gerrit-Reviewer: Saggi Mizrahi <[email protected]> Gerrit-Reviewer: Yaniv Bronhaim <[email protected]> Gerrit-Reviewer: Yaniv Kaul <[email protected]> Gerrit-Reviewer: oVirt Jenkins CI Server _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
