Does this apply? https://bugs.openjdk.org/browse/JDK-8190917
From: Sanjay Deshmukh <sanj...@gmail.com> Sent: Monday, June 5, 2023 3:28 PM To: user@accumulo.apache.org Subject: Re: Impact from Enabling TLS Sure thing. We're running Accumulo 1.10.1. Our configuration has 15 tablet servers and a client pool of 4 threads that could be doing scans or batch scans at any given time. I wish I could copy over the exact jstack but unfortunately it's coming from an offline network, but I do see the same tablet servers in the thread names repeatedly (e.g. "batch scanner X- 4 looking up 1 ranges at tabletservername:9997", implying it it's not an infrequent use problem. In some cases I even see multiple threads trying to handshake with the same tablet server. The jstack here seems to go from TabletServerbatchReaderIterator.doLookup down through TFramedTransport.flush and into SSLSocketImpl.performInitialHandshake. The lifecycle here is that each of these client threads is using a single shared instance of Connector, and instantiating a new Scanner or BatchScanner per use, and closing it when that use is done. There are many of these uses over time. On Mon, Jun 5, 2023 at 3:14 PM Christopher <ctubb...@apache.org <mailto:ctubb...@apache.org> > wrote: In Accumulo code, we do try to reuse thrift connections, but I'm not sure if the thrift code itself is reusing TLS sessions or not. Keep in mind that Accumulo is a distributed system. Many of these handshakes might be going to different servers in a cluster. Are you able to tell if that is the case? It might be possible to increase session timeouts or the number of cached sessions, but the best case is that you'll still need to do a handshake with each server your client talks to. It might also help if you told us the version of Accumulo you are using, and how you are using the client code (like, are you reusing client objects). If you can share a bit of the jstack with us, that might also be helpful if we need to troubleshoot further. On Mon, Jun 5, 2023, 14:12 Sanjay Deshmukh <sanj...@gmail.com <mailto:sanj...@gmail.com> > wrote: We've recently been required to enable TLS between our Accumulo clients and the tablet servers. We've got it working, but we're experiencing a significant performance impact. I'm running jstack on our client processes and consistently seeing a number of Accumulo client threads in sun.security.ssl.SSLSocketImpl.performInitialHandshake. This implies to me that the Accumulo client is not reusing TLS sessions, and instead establishing a new session for each connection. Am I reading this correctly? Is there a way to configure the Accumulo client to reuse TLS sessions? -- Sanjay Deshmukh sanj...@gmail.com <mailto:sanj...@gmail.com>
