Julian Wiesener
2018-11-22 17:11:26 UTC
Hello,
one of our clients runs a haproxy setup with a 2000+ SSL-Certificates on multiple IPs. As an OpenSSL CTX needs to be created for each certificate for each sockets, restarting or reloading the config takes several minutes. Therfore i like to propose to share the CTX for on multiple sockets, which reduces the reload-times to acceptable values (~9 secs+0.5 per IP instead of 8 oer IP on our testsetup).
The attached patch is a POC based on 73373ab43a4599e8bcb209687e9ec1c7be37779a, i'm aware that this is at this state not commitable, but i like to discuss the further directions.
First issue is, it needs to be configurable and should be disabled by default, as it disables the ability to set different SSL options on different IPs. One way would be a global option, good enough for me, but you wouldn't be able to run a client-certificate setup only one IP and share the server certificates with others. Enable by bind configuration is an onther option that should not make to mouch trouble, however we still would need to decide on how to name them, i would propose share_ssl_ctx.
Also there is some name confusion in the code. atm there is struct shared_context, which is not for sharing CTX, it is a shared session cache. Therfore i introduced shared_ssl_ctx_list which does share the context. I could live with it, but i think that might lead to confusion in the future.
I did not yet care for reloading the config. If someone would disable the proposed sharing option and reloading, it might end in an disaster, i'll need to look into the code, removing or changing of certificates without restart is also tbd.
It also was not clear to me yet, if i require a lock, a ctx at any time, if only one thread is running whenever the config is reloaded, i think there is no need to, but i might have missed cases which could lead to deinitialization of an CTX.
So please let me know what you think and what needs to be done to get it upstream.
Kind regards,
Julian
one of our clients runs a haproxy setup with a 2000+ SSL-Certificates on multiple IPs. As an OpenSSL CTX needs to be created for each certificate for each sockets, restarting or reloading the config takes several minutes. Therfore i like to propose to share the CTX for on multiple sockets, which reduces the reload-times to acceptable values (~9 secs+0.5 per IP instead of 8 oer IP on our testsetup).
The attached patch is a POC based on 73373ab43a4599e8bcb209687e9ec1c7be37779a, i'm aware that this is at this state not commitable, but i like to discuss the further directions.
First issue is, it needs to be configurable and should be disabled by default, as it disables the ability to set different SSL options on different IPs. One way would be a global option, good enough for me, but you wouldn't be able to run a client-certificate setup only one IP and share the server certificates with others. Enable by bind configuration is an onther option that should not make to mouch trouble, however we still would need to decide on how to name them, i would propose share_ssl_ctx.
Also there is some name confusion in the code. atm there is struct shared_context, which is not for sharing CTX, it is a shared session cache. Therfore i introduced shared_ssl_ctx_list which does share the context. I could live with it, but i think that might lead to confusion in the future.
I did not yet care for reloading the config. If someone would disable the proposed sharing option and reloading, it might end in an disaster, i'll need to look into the code, removing or changing of certificates without restart is also tbd.
It also was not clear to me yet, if i require a lock, a ctx at any time, if only one thread is running whenever the config is reloaded, i think there is no need to, but i might have missed cases which could lead to deinitialization of an CTX.
So please let me know what you think and what needs to be done to get it upstream.
Kind regards,
Julian