[squid-dev] [PATCH] Fast SNI peek

Christos Tsantilas christos at chtsanti.net
Fri May 13 17:07:38 UTC 2016

Currently, bumping peek mode at step2 and splice at step2, after the SNI 
is  received is very slow.

The most of the performance overhead comes from openSSL. However Squid 
does not need openSSL to peek at SNI. It needs only to get client TLS 
Hello message, analyse it to retrieve SNI and then splice at step2.

This patch:
  - Postpone creation of the OpenSSL connection (i.e. SSL) object for 
the accepted TCP connection until after we peek at SNI (after step2).

  - Implements the Parser::BinaryTokenizer parser for extracting 
byte-oriented fields from raw input

  - Reimplement a new SSL/TLS handshake messages parser using the 
BinaryTokenizer, and remove old buggy parsing code from ssl/bio.cc

  - Adjust ConnStateData, Ssl::Bio, Ssl::PeerConnector classes to use 
the new parsers and parsing results.

Some performance testing results using polygraph with 1000 robots and 
1000 origin servers:

splice at | trunk | fast-sni
step1        100%     100%
step2         22%      69%
step3         16%      26%

This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-146-fast-sni-t1.patch
Type: text/x-patch
Size: 170492 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160513/c1bf0fac/attachment-0001.bin>

More information about the squid-dev mailing list