[squid-dev] [PATCH] Collapse security_file_certgen requests.
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 10 12:32:16 UTC 2017
On 09/06/17 02:52, Christos Tsantilas wrote:
>
> Concurrent identical same-worker security_file_certgen (a.k.a.
> ssl_crtd) requests are collapsed: The first such request goes through
> to one of the helpers while others wait for that first request to
> complete, successfully or otherwise. This optimization helps dealing
> with flash crowds that suddenly send a large number of HTTPS requests
> to a small group of origin servers.
>
> Two certificate generation requests are considered identical if their
> on-the-wire images are identical. This simple and fast approach covers
> all certificate generation parameters, including all mimicked
> certificate properties, and avoids hash collisions and poisoning.
> Compared to collision- or poisoning-sensitive approaches that store
> raw certificates and compare their signatures or fingerprints, storing
> helper queries costs a few extra KB per pending helper request. That
> extra RAM cost is worth the advantages and will be eliminated when
> helper code switches from c-strings to SBufs.
Thank you. +1 from me.
+1. Though I would prefer if these lines doing C-style member
initialization could be done by the GeneratorRequest constructor instead.
+ GeneratorRequest *request = new GeneratorRequest;
+ request->query = rawMessage;
+ request->emplace(callback, data);
Amos
More information about the squid-dev
mailing list