[squid-dev] [PATCH] Collapse security_file_certgen requests.

Christos Tsantilas christos at chtsanti.net
Mon Jun 12 16:06:30 UTC 2017


Στις 10/06/2017 03:32 μμ, ο Amos Jeffries έγραψε:
> On 09/06/17 02:52, Christos Tsantilas wrote:
>>
>> Concurrent identical same-worker security_file_certgen (a.k.a. 
>> ssl_crtd) requests are collapsed: The first such request goes through 
>> to one of the helpers while others wait for that first request to 
>> complete, successfully or otherwise. This optimization helps dealing 
>> with flash crowds that suddenly send a large number of HTTPS requests 
>> to a small group of origin servers.
>>
>> Two certificate generation requests are considered identical if their 
>> on-the-wire images are identical. This simple and fast approach covers 
>> all certificate generation parameters, including all mimicked 
>> certificate properties, and avoids hash collisions and poisoning. 
>> Compared to collision- or poisoning-sensitive approaches that store 
>> raw certificates and compare their signatures or fingerprints, storing 
>> helper queries costs a few extra KB per pending helper request. That 
>> extra RAM cost is worth the advantages and will be eliminated when 
>> helper code switches from c-strings to SBufs.
> 
> 
> Thank you. +1 from me.

The patch applied as is to squid-5 as r15190.


> 
> +1. Though I would prefer if these lines doing C-style member 
> initialization could be done by the GeneratorRequest constructor instead.
> 
> +    GeneratorRequest *request = new GeneratorRequest;
> +    request->query = rawMessage;
> +    request->emplace(callback, data);
> 
> 
> Amos
> 


More information about the squid-dev mailing list