On Wednesday, 27 May 2015 16:34:09 UTC+1, agentzh wrote:
Yes, the OpenSSL context is per-server according to the current
implementation. So this is the expected behavior.
Ok, that makes sense.
How does the lua_ssl_trusted_certificate differ from vanilla nginx's proxy_ssl_trusted_certificate option?
I don't see the same behaviour there and while I don't claim to understand the nginx C code at all, they appear very similar features.
The HUP thing should just be an artifact of (temporary) memory
fragmentation. Try keeping sending HUP to see if the memory grows
infinitely. It shouldn't be the case.
Yep, it doubles on the first HUP and then stays there.
Maybe different OpenSSL version? Or just OS X is better on handling
memory fragmentation in this very specific case?
Yeah on OS X its OpenSSL 0.9.8zd and 1.0.1e-fips on my Linux box.
I can see how OS Xs memory system could account for the difference after HUPing, but it's interesting that I don't see the increased initial memory use either.
I was going to test it out on a FreeBSD VM and building against some different versions of OpenSSL as well, but never got around to it.
Seems like it's something you really need ssl_certificate_by_lua instead:
Yep! Been following that feature for a while, that's definitely the long term goal.
I was waiting for a new release of Openresty that included that feature first though.
See above. Regarding reducing the trusted cert bundle, you can
re-generate such bundles yourself by removing ones you don't really
need. Having said that, try combining your 60 server {} blocks into a
single one with ssl_certificate_by_lua first :)
I think for the time being I'm just going to disable ssl verification on origin connections until we start using ssl_certificate_by_lua.
Regards,
-agentzh
P.S. I'm very sorry for the late reply. I've been on vacation in China.
No problem, thanks for the explanation!
Hamish