Hi Chris.
Am 16-02-2018 23:51, schrieb Christopher Lane:
On Thu, Feb 15, 2018 at 3:02 PM Aleksandar Lazic <[email protected]>
wrote:
Hi.
Am 15.02.2018 um 22:42 schrieb Christopher Lane:
Internally, my company uses pregenerated SSL sessions.
Just for my curiosity what is a "pregenerated SSL session" ?
What's the use case for this?
SSL sessions, as negotiated between the client and server, can be
serialized
and saved to disk or database or whatever. Then when a new connection
comes
in, they can be de-serialized and the old session can be resumed,
skipping
the multiple round trip SSL handshake and the expensive RSA key
operations.
We generate the SSL sessions (which include the session AES key so are
as
sensitive as the RSA private key) and distribute them throughout the
data
center so we can get 5 ms SSL connect times instead of 20-30 ms connect
times.
An alternative way to use this functionality is to put all newly
created
SSL session objects into memcached or the like and then keep loading
the
memcached sessions into the listening SSL contexts.
Got your use case.
How about to add/inject this ssl sessions into a peer
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#3.5
from my point of view is this the least intrusive method.
This requiers "only" to implement a tool which understands the peer
protocol.
http://git.haproxy.org/?p=haproxy.git;a=blob;f=doc/peers.txt;h=f308f8c7e88f7054a233bc83f53345937b6920ee;hb=HEAD
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=doc/peers.txt;h=f308f8c7e88f7054a233bc83f53345937b6920ee;hb=HEAD
You can see a example setup here
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4.2-stick%20store-response
The advantage for this solution is that you can develop this
independently from haproxy and you can use different haproxy versions.
The disadvantage is that you will take care about some changes in the
peer protocol.
What do you think about this idea?
I am thinking
about maybe changing haproxy to load and use our sessions. Would
there
be interest in some sort of opensource change to allow session
loading
as some easy extension/config for haproxy. Like some config
ssl_get_sessions_from_exe=custom_session_emitter
where custom_session_emitter writes the appropriate ASN1/PEM session
data or some such?
Or
ssl_get_sessions_from_file=sessions.pem
(less good because we encrypt the session data on disk).
If not, I'll just strive to make my patches clean against the tree,
but
if so, I'm happy to contribute the interface. (As far as I can tell,
not many places are using pregenerated sessions, but to do save a lot
of
latency).
Do you need to handle the session dynamically or only at startup time?
Start up time will be simple enough for us, we aren't using the DB
caching
model. Something runtime would have to involve some C api or exposing
it
to LUA or something more complicated.
With the idea of the peers can you change the sessions also dynamically,
in
case you will need it.
--Chris
Best regards
Aleks
(me2digital.com)
