The upcoming feature of ngx_lua that allows distributed SSL session
caching on the server side may help maximize SSL resumption's success
rate in a distributed environment. (Note, new SSL clients supporting
TLS session tickets do not need any server-side session caching at
all, which is superior than the SSL session ID technique).
When is the distributed SSL session caching feature release planned ?
I understand that the ssl_certificate_by_la handler takes less CPU time. We found that response time increases with session caching as compared to non session caching.
Connect time goes to around 200 ms with session caching and it is just 70 ms. Please refer the attached graphs.
I think this is due to some issue with external session caching handling in OpenSSL code.
Have you faced similar issue in your testing ?
Which version of OpenSSL is being used for your testing ? Is it openSSL or some commercial one ?
Thanks,
Sreekanth
On Tuesday, February 9, 2016 at 1:06:25 AM UTC+5:30, agentzh wrote:
Hello!
On Mon, Feb 8, 2016 at 8:07 AM, sreekanth Madhavan wrote:
> Good to see the external session caching support in formal release, 1.9.7.2.
>
> feature: applied the ssl_cert_cb_yield patch to the bundled
> version of the NGINX core to allow yielding in OpenSSL's
> SSL_CTX_set_cert_cb() callbacks (needed by the ngx_lua module's
> ssl_certificate_by_lua* directives, for example).
>
> It would be great if you could share some performance test results for ssl
> external caching feature.
>
We've been profiling our online SSL gateway using this feature at
CloudFlare's production environment.
Our ssl_certificate_by_lua handler just takes less than 300us CPU time
on average for each SSL handshake request on a common production
server with real traffic, and even for the 300us CPU time, almost all
the time is spent on OpenSSL. Well, 300us is really nothing as
compared to the full SSL handshake's overhead :)
The full SSL handshake is inevitable expensive though there exists
optimizations based on leveraging special hardware instructions of
modern CPUs (like Intel AES-NI Engine of OpenSSL in your nginx.conf).
The more important optimization is to configure the SSL session cache
to maximize SSL session resumption so that re-visiting clients do not
need to do full SSL handshake at all.
The upcoming feature of ngx_lua that allows distributed SSL session
caching on the server side may help maximize SSL resumption's success
rate in a distributed environment. (Note, new SSL clients supporting
TLS session tickets do not need any server-side session caching at
all, which is superior than the SSL session ID technique).
For session resumptions, either SSL session ID or TLS session tickets,
the ssl_certificiate_by_lua handler is skipped altogether, making
things even a bit faster :)
> Results:
>
> We are seeing increase in response times and it looks like an issue with
> OpenSSL.
> Please find attached the request and connect time graph for reference.
>
For profiling, always use the various kinds of flame graph tools:
https://openresty.org/#Profiling
Regards,
-agentzh
Attachment:
no_session_caching.png
Description: PNG image
Attachment:
session_caching.png
Description: PNG image