[squid-dev] [PATCH] Collapse security_file_certgen requests.
Christos Tsantilas
christos at chtsanti.net
Thu Jun 8 14:52:19 UTC 2017
Concurrent identical same-worker security_file_certgen (a.k.a. ssl_crtd)
requests are collapsed: The first such request goes through to one of
the helpers while others wait for that first request to complete,
successfully or otherwise. This optimization helps dealing with flash
crowds that suddenly send a large number of HTTPS requests to a small
group of origin servers.
Two certificate generation requests are considered identical if their
on-the-wire images are identical. This simple and fast approach covers
all certificate generation parameters, including all mimicked
certificate properties, and avoids hash collisions and poisoning.
Compared to collision- or poisoning-sensitive approaches that store raw
certificates and compare their signatures or fingerprints, storing
helper queries costs a few extra KB per pending helper request. That
extra RAM cost is worth the advantages and will be eliminated when
helper code switches from c-strings to SBufs.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID306-collapse-crtd-requests-t5.patch
Type: text/x-patch
Size: 7785 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170608/94494597/attachment.bin>
More information about the squid-dev
mailing list