[squid-dev] [PATCH] Fast SNI peek

Christos Tsantilas christos at chtsanti.net
Wed May 18 17:51:16 UTC 2016

A patch with the most of the fixes requested by Amos and Alex is applied 
to trunk as r14670.

I hope it is ok.


PS. A special note:

On 05/15/2016 04:49 PM, Amos Jeffries wrote:
> * files in src/security/ should not need wrapping in USE_OPENSSL
>  - referring to the #includes pulling in security/Handshake.h
>  - maybe others

The only code wrapped inside USE_OPENSSL was related to certificates 
parsing. This code did not actually used by this patch, nor by any other 
squid feature. So I just remove it.
It will be appear fixed in a future patch implements missing 
certificates auto-download.

On 05/13/2016 08:07 PM, Christos Tsantilas wrote:
> Currently, bumping peek mode at step2 and splice at step2, after the SNI
> is  received is very slow.
> The most of the performance overhead comes from openSSL. However Squid
> does not need openSSL to peek at SNI. It needs only to get client TLS
> Hello message, analyse it to retrieve SNI and then splice at step2.
> This patch:
>   - Postpone creation of the OpenSSL connection (i.e. SSL) object for
> the accepted TCP connection until after we peek at SNI (after step2).
>   - Implements the Parser::BinaryTokenizer parser for extracting
> byte-oriented fields from raw input
>   - Reimplement a new SSL/TLS handshake messages parser using the
> BinaryTokenizer, and remove old buggy parsing code from ssl/bio.cc
>   - Adjust ConnStateData, Ssl::Bio, Ssl::PeerConnector classes to use
> the new parsers and parsing results.
> Some performance testing results using polygraph with 1000 robots and
> 1000 origin servers:
> splice at | trunk | fast-sni
> step1        100%     100%
> step2         22%      69%
> step3         16%      26%
> This is a Measurement Factory project
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev

More information about the squid-dev mailing list