[squid-dev] [PATCH] Fast SNI peek
Christos Tsantilas
christos at chtsanti.net
Fri May 13 17:07:38 UTC 2016
Currently, bumping peek mode at step2 and splice at step2, after the SNI
is received is very slow.
The most of the performance overhead comes from openSSL. However Squid
does not need openSSL to peek at SNI. It needs only to get client TLS
Hello message, analyse it to retrieve SNI and then splice at step2.
This patch:
- Postpone creation of the OpenSSL connection (i.e. SSL) object for
the accepted TCP connection until after we peek at SNI (after step2).
- Implements the Parser::BinaryTokenizer parser for extracting
byte-oriented fields from raw input
- Reimplement a new SSL/TLS handshake messages parser using the
BinaryTokenizer, and remove old buggy parsing code from ssl/bio.cc
- Adjust ConnStateData, Ssl::Bio, Ssl::PeerConnector classes to use
the new parsers and parsing results.
Some performance testing results using polygraph with 1000 robots and
1000 origin servers:
splice at | trunk | fast-sni
step1 100% 100%
step2 22% 69%
step3 16% 26%
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-146-fast-sni-t1.patch
Type: text/x-patch
Size: 170492 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160513/c1bf0fac/attachment-0001.bin>
More information about the squid-dev
mailing list