On 09/06/17 02:52, Christos Tsantilas wrote:
Concurrent identical same-worker security_file_certgen (a.k.a.
ssl_crtd) requests are collapsed: The first such request goes through
to one of the helpers while others wait for that first request to
complete, successfully or otherwise. This optimization helps dealing
with flash crowds that suddenly send a large number of HTTPS requests
to a small group of origin servers.
Two certificate generation requests are considered identical if their
on-the-wire images are identical. This simple and fast approach covers
all certificate generation parameters, including all mimicked
certificate properties, and avoids hash collisions and poisoning.
Compared to collision- or poisoning-sensitive approaches that store
raw certificates and compare their signatures or fingerprints, storing
helper queries costs a few extra KB per pending helper request. That
extra RAM cost is worth the advantages and will be eliminated when
helper code switches from c-strings to SBufs.
Thank you. +1 from me.
+1. Though I would prefer if these lines doing C-style member
initialization could be done by the GeneratorRequest constructor instead.
+ GeneratorRequest *request = new GeneratorRequest;
+ request->query = rawMessage;
+ request->emplace(callback, data);
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
