<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=koi8-r">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>You sure?</p>
<p><br>
</p>
<p><a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/SquidFaq/SquidMemory">http://wiki.squid-cache.org/SquidFaq/SquidMemory</a><br>
</p>
<br>
<div class="moz-cite-prefix">03.05.2017 21:44, Nil Nik пишет:<br>
</div>
<blockquote type="cite"
cite="mid:BY1PR10MB0357ECF69FE367088AF5601D84160@BY1PR10MB0357.namprd10.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=koi8-r">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>Hi,</p>
<p><br>
</p>
<p>Its not disk cache, its <font size="2"><span
style="font-size:10pt">due to in memory SSL context.</span></font></p>
<p><font size="2"><span style="font-size:10pt"><br>
</span></font></p>
<p><font size="2"><span style="font-size:10pt">Nil</span></font><br>
</p>
<br>
<div style="color: rgb(0, 0, 0);">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
squid-users
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a> on
behalf of Yuri <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a><br>
<b>Sent:</b> Wednesday, May 3, 2017 11:55 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Huge memory required for
squid 3.5</font>
<div> </div>
</div>
<div>
<p>How big disk cache(s) and how it full?<br>
</p>
<br>
<div class="moz-cite-prefix">03.05.2017 17:54, Nil Nik
пишет:<br>
</div>
<blockquote type="cite">
<div id="divtagdefaultwrapper" dir="ltr"
style="font-size:12pt; color:#000000;
font-family:Calibri,Arial,Helvetica,sans-serif">
Hi,
<p><br>
</p>
<p><font size="2"><span style="font-size:10pt">NO_DEFAULT_CA</span></font>
<span>
doesn't</span> help. Still goes in GB. Can anyone
tell me area so that i can work on?</p>
<p><br>
</p>
<p>Regards,</p>
<p>Nil<br>
</p>
<p><br>
</p>
<div style="color:rgb(0,0,0)">
<div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b>
squid-users
<a class="moz-txt-link-rfc2396E"
href="mailto:squid-users-bounces@lists.squid-cache.org"
moz-do-not-send="true">
<squid-users-bounces@lists.squid-cache.org></a> on behalf of Alex
Rousskov <a class="moz-txt-link-rfc2396E"
href="mailto:rousskov@measurement-factory.com"
moz-do-not-send="true">
<rousskov@measurement-factory.com></a><br>
<b>Sent:</b> Wednesday, April 26, 2017 7:37 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">
squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Huge memory
required for squid 3.5</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt">
<div class="PlainText">On 04/26/2017 09:35 AM,
Yuri Voinov wrote:<br>
<br>
> This is openssl issue or squid's?<br>
<br>
AFAIK, the underlying issue (i.e., bug #4005) is
mostly a Squid problem:<br>
Squid is caching SSL contexts (instead of
certificates) and does a poor<br>
job maintaining that cache.<br>
<br>
Earlier OpenSSL versions (that had to be used
when the original code was<br>
written) complicated solving this problem.
OpenSSL v1.0.1+ added APIs<br>
that simplify some aspects of the anticipated
fix. Certain OpenSSL<br>
aspects will continue to hurt Squid, even with
OpenSSL v1.0.1, but if<br>
you want to blame a single project (instead of
both), blame Squid.<br>
<br>
<br>
> Why sessions can't share CA's data cached
in memory? shared_ptr invented<br>
> already.<br>
<br>
OpenSSL knew how to share things well before
std::shared_ptr became<br>
available. However, it is the responsibility of
the application to tell<br>
OpenSSL what to create from scratch and what to
share. A part of the<br>
problem is that Squid tells OpenSSL to create
many large things from<br>
scratch and then caches those large things while
underestimating their<br>
size by several(?) orders of magnitude (and
probably also missing many<br>
cache hits).<br>
<br>
More details, including the difference between
problems associated with<br>
from-client and to-server connections, are
documented in the "Memory<br>
Usage" section of <a
href="http://wiki.squid-cache.org/Features/SslBump"
id="LPlnk706809" previewremoved="true"
moz-do-not-send="true">
http://wiki.squid-cache.org/Features/SslBump</a>
<div
id="LPBorder_GT_14938123250740.11314859301887725"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px"
contenteditable="false">
<table
id="LPContainer_14938123250710.8259907502117058"
style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted rgb(200,200,200)"
cellspacing="0">
<tbody>
<tr style="border-spacing:0px"
valign="top">
<td
id="TextCell_14938123250720.08481065624306094"
colspan="2" style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="LPTitle_14938123250720.09427320548735929"
style=""><a
id="LPUrlAnchor_14938123250720.03337732538898763"
href="http://wiki.squid-cache.org/Features/SslBump" target="_blank"
style="text-decoration:none"
moz-do-not-send="true">Features/SslBump
- Squid Web Proxy Wiki</a></div>
<div
id="LPMetadata_14938123250730.02992122672727393"
style="">wiki.squid-cache.org</div>
<div
id="LPDescription_14938123250730.700130210657148"
style="">Squid-in-the-middle
decryption and encryption of
straight CONNECT and transparently
redirected SSL traffic, using
configurable CA certificates.</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
FWIW, we have spent a lot of resources on
triaging this problem and<br>
drafting possible solutions (in various
overlapping areas), but there is<br>
currently no sponsor to finalize and implement
any of the fixes. AFAIK,<br>
bug #4005 is stuck.<br>
<br>
I am glad that NO_DEFAULT_CA helps mitigate some
of the problems in some<br>
environments.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
> 26.04.2017 9:08, Amos Jeffries пишет:<br>
>> On 26/04/17 10:53, Yuri Voinov wrote:<br>
>>> Ok, but how NO_DEFAULT_CA should
help with this?<br>
>><br>
>> It prevents OpenSSL copying that 1MB
into each incoming client<br>
>> connections memory. The CAs are only
useful there when you have some<br>
>> of the global CAs as root for client
certificates - in which case you<br>
>> still only want to trust the roots you
paid for service and not all of<br>
>> them.<br>
>><br>
>> Just something to try if there are huge
memory issues with TLS/SSL<br>
>> proxying. The default behaviour is
fixed for Squid-4 with the config<br>
>> options changes. But due to being a
major surprise for anyone already<br>
>> relying on global roots for client
certs it remains a problem in 3.5.<br>
>><br>
>> Amos<br>
>><br>
>>
_______________________________________________<br>
>> squid-users mailing list<br>
>> <a class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">
squid-users@lists.squid-cache.org</a><br>
>> <a
href="http://lists.squid-cache.org/listinfo/squid-users"
id="LPlnk637142" previewremoved="true"
moz-do-not-send="true">
http://lists.squid-cache.org/listinfo/squid-users</a>
<div
id="LPBorder_GT_14938123786480.4488564126039615"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px"
contenteditable="false">
<table
id="LPContainer_14938123786430.20365778727089778"
style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted rgb(200,200,200)"
cellspacing="0">
<tbody>
<tr style="border-spacing:0px"
valign="top">
<td
id="TextCell_14938123786440.13963595398341355"
colspan="2" style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="LPTitle_14938123786440.2887556511306161"
style=""><a
id="LPUrlAnchor_14938123786450.5044640733064653"
href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank"
style="text-decoration:none"
moz-do-not-send="true">squid-users
Info Page</a></div>
<div
id="LPMetadata_14938123786460.240786599206116"
style="">lists.squid-cache.org</div>
<div
id="LPDescription_14938123786470.3527418464477192"
style="">squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
> <br>
> <br>
> <br>
>
_______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">
squid-users@lists.squid-cache.org</a><br>
> <a
href="http://lists.squid-cache.org/listinfo/squid-users"
id="LPlnk994124" previewremoved="true"
moz-do-not-send="true">
http://lists.squid-cache.org/listinfo/squid-users</a>
<div
id="LPBorder_GT_14938123786130.7066901792730146"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px"
contenteditable="false">
<table
id="LPContainer_14938123786100.6322304170504451"
style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted rgb(200,200,200)"
cellspacing="0">
<tbody>
<tr style="border-spacing:0px"
valign="top">
<td
id="TextCell_14938123786110.41271651298547873"
colspan="2" style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="LPTitle_14938123786110.11202505050493272"
style=""><a
id="LPUrlAnchor_14938123786120.45910068828617034"
href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank"
style="text-decoration:none"
moz-do-not-send="true">squid-users
Info Page</a></div>
<div
id="LPMetadata_14938123786120.0828671998666407"
style="">lists.squid-cache.org</div>
<div
id="LPDescription_14938123786130.3259122471959415"
style="">squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
> <br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br>
<a
href="http://lists.squid-cache.org/listinfo/squid-users"
id="LPlnk844702" previewremoved="true"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
<div
id="LPBorder_GT_14938123786030.5318871818109208"
style="margin-bottom:20px; overflow:auto;
width:100%; text-indent:0px"
contenteditable="false">
<table
id="LPContainer_14938123786000.8268748694301231"
style="width:90%;
background-color:rgb(255,255,255);
overflow:auto; padding-top:20px;
padding-bottom:20px; margin-top:20px;
border-top:1px dotted rgb(200,200,200);
border-bottom:1px dotted rgb(200,200,200)"
cellspacing="0">
<tbody>
<tr style="border-spacing:0px"
valign="top">
<td
id="TextCell_14938123786000.49714504759305367"
colspan="2" style="vertical-align:top;
padding:0px; display:table-cell">
<div
id="LPTitle_14938123786010.05569418962463335"
style=""><a
id="LPUrlAnchor_14938123786010.7286905952600977"
href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank"
style="text-decoration:none"
moz-do-not-send="true">squid-users
Info Page</a></div>
<div
id="LPMetadata_14938123786020.401919598439636"
style="">lists.squid-cache.org</div>
<div
id="LPDescription_14938123786020.9672184715186581"
style="">squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
</span></font></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Bugs to the Future</div>
</body>
</html>