Re: [PATCH] ssl: factoring load cert/key and chains

2018-12-12 Thread Emmanuel Hocdet 
Hi Julien,

> Le 12 déc. 2018 à 14:28, Julien Laffaye  a écrit :
> 
> 
> On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet  > wrote:
> 
> Hi,
> 
> I tried to improve the haproxy loading time with a lot of certificates, and 
> see a double file
> open for each certificate (one for private-key and one for the cert/chain).
> Multi-cert loading part have not this issue and is good candidate for sharing 
> code:
> patches is this work with factoring/cleanup/fix.
> 
> About speed: PEM file with private key in first position is far better.
> 
> If you can consider this patches?
> 
> ++
> Manu
> 
> 
> Hello,
> 
> I'm curious, do you have numbers concerning the open(2) optimization ?

Not much (a few seconds), because load cert and especially load key is the 
heaviest part,
but avoid syscall for reload  it's rather good when kernel has something else 
to do.

> And also the PEM ordering, I did not know it mattered.
> 
5 to 10% speedup in my tests.

I tested with pkcs12 format (with limited encryption) but it’s slower than pem.
The best gain is with EC certificates (x2 vs RSA-2048) (load key is really the 
heaviest part)

++
Manu

Re: [PATCH] ssl: factoring load cert/key and chains

2018-12-12 Thread Julien Laffaye 
On Wed, Dec 12, 2018 at 12:24 PM Emmanuel Hocdet  wrote:

>
> Hi,
>
> I tried to improve the haproxy loading time with a lot of certificates,
> and see a double file
> open for each certificate (one for private-key and one for the cert/chain).
> Multi-cert loading part have not this issue and is good candidate for
> sharing code:
> patches is this work with factoring/cleanup/fix.
>
> About speed: PEM file with private key in first position is far better.
>
> If you can consider this patches?
>
> ++
> Manu
>
>
Hello,

I'm curious, do you have numbers concerning the open(2) optimization ?
And also the PEM ordering, I did not know it mattered.

Regards,
Julien

[PATCH] ssl: factoring load cert/key and chains

2018-12-12 Thread Emmanuel Hocdet 

Hi,

I tried to improve the haproxy loading time with a lot of certificates, and see 
a double file
open for each certificate (one for private-key and one for the cert/chain).
Multi-cert loading part have not this issue and is good candidate for sharing 
code:
patches is this work with factoring/cleanup/fix.

About speed: PEM file with private key in first position is far better.

If you can consider this patches?

++
Manu



0001-REORG-ssl-promote-cert_key_and_chain-handling.patch
Description: Binary data


0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch
Description: Binary data


0003-MINOR-ssl-SSL_CTX_set1_chain-compatibility.patch
Description: Binary data


0004-MINOR-ssl-used-cert_key_and_chain-func-in-load_cert_.patch
Description: Binary data


0005-BUG-MINOR-ssl-fix-ssl_sock_load_multi_cert-init-vars.patch
Description: Binary data


0006-CLEANUP-ssl-ssl_sock_load_crt_file_into_ckch.patch
Description: Binary data