Hi Folks,
I have been using Crypt::SSLeay in a local HTTP(s) test suite and have found that SSL handshaking to be the bottleneck when doing load testing of a web server. So, of course, the obvious answer is SSL session reuse. As always, this kind of thing is easier said than done. Looking at the OpenSSL and RTFM docs, it looks like a bit of work, but with a large performance payoff.
The following are some semi-random thoughts about how such a thing might be done. But I am only sem-literate in the worlds of Perl extensions and OpenSSL, so take them for what they are worth.
Thoughts?
Thanks,
Charlie Reitzel
For SSL session reuse to occur, the SSL client needs to save the SSL session when it is first negotiated. Later, when creating new SSL connections, it needs to see if an appropriate session exists for reuse and propose it to the SSL server. If the server agrees, the previously negotiated master secret will be used to generate a new per-socket encryption key.
Looking at SSLeay.c (.xs), a lookup table by host/port is needed to hold the Crypt::SSLeay::CTX objects. The current SSL_SESSION object, if any, could be kept in this Perl object. All client sockets for a given host and port would share a context and SSL_SESSION. All done.
There are a bunch of OpenSSL calls that we need to deal with. First, when there is no CTX-level session, we need to acquire the session from the first Conn object. Once available, we need to explicitly set the session in subsequent Conn objects. The SSL_SESSION object is reference counted, so there is no problem sharing it among multiple SSL sockets.
Another issue we would have to deal with is SSL handshake re-negotiation. Every so often SSL requires a new handshake. Every socket sharing the session, would have to pick up the changes (re-negotiate the per socket keys based on the new master secret). I am thinking this could be handled transparently in the Conn package. Or does the SSL_MODE_AUTO_RETRY take care of this?
References
OpenSSL:
http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html
http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_get_cb.html
RTFM:
http://www.rtfm.com/openssl-examples/
