[squid-dev] [PATCH] Fast SNI peek
christos at chtsanti.net
Wed May 18 17:51:16 UTC 2016
A patch with the most of the fixes requested by Amos and Alex is applied
to trunk as r14670.
I hope it is ok.
PS. A special note:
On 05/15/2016 04:49 PM, Amos Jeffries wrote:
> * files in src/security/ should not need wrapping in USE_OPENSSL
> - referring to the #includes pulling in security/Handshake.h
> - maybe others
The only code wrapped inside USE_OPENSSL was related to certificates
parsing. This code did not actually used by this patch, nor by any other
squid feature. So I just remove it.
It will be appear fixed in a future patch implements missing
On 05/13/2016 08:07 PM, Christos Tsantilas wrote:
> Currently, bumping peek mode at step2 and splice at step2, after the SNI
> is received is very slow.
> The most of the performance overhead comes from openSSL. However Squid
> does not need openSSL to peek at SNI. It needs only to get client TLS
> Hello message, analyse it to retrieve SNI and then splice at step2.
> This patch:
> - Postpone creation of the OpenSSL connection (i.e. SSL) object for
> the accepted TCP connection until after we peek at SNI (after step2).
> - Implements the Parser::BinaryTokenizer parser for extracting
> byte-oriented fields from raw input
> - Reimplement a new SSL/TLS handshake messages parser using the
> BinaryTokenizer, and remove old buggy parsing code from ssl/bio.cc
> - Adjust ConnStateData, Ssl::Bio, Ssl::PeerConnector classes to use
> the new parsers and parsing results.
> Some performance testing results using polygraph with 1000 robots and
> 1000 origin servers:
> splice at | trunk | fast-sni
> step1 100% 100%
> step2 22% 69%
> step3 16% 26%
> This is a Measurement Factory project
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
More information about the squid-dev