Hi, Florin, Based on this discuss, I have submitted a code review #14156 for this. Please help review it.
The main change is: 1) Add a point in ctx_id to point engine specific data, and point to a openssl_tls_ctx data structure. 2) Add 2 engine specific API such for start listen and stop listen. 3) CPS performance has been improved around 30% after this patch. 4) Main implementation in openssl, and will not break mbedtls. Thanks Ping From: [email protected] [mailto:[email protected]] On Behalf Of Yu, Ping Sent: Thursday, July 26, 2018 9:26 AM To: Florin Coras (fcoras) <[email protected]>; [email protected] Cc: Yu, Ping <[email protected]> Subject: Re: [vpp-dev] tls init server is too heavy That’s great. I will implement it and submit patch for this optimization. Ping From: Florin Coras (fcoras) [mailto:[email protected]] Sent: Thursday, July 26, 2018 1:01 AM To: Yu, Ping <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: tls init server is too heavy Hi Ping, The plan you proposed sounds great, so definitely go for it! You’ll have to find a place to store a pointer to the shared engine-generated context (i.e., ssl_ctx) in the generic listener context. If no obvious field is available, maybe you can abuse the ctx_id since we still have space there (note that it’s limited to 42B). Let me know how it goes! Cheers, Florin From: "Yu, Ping" <[email protected]<mailto:[email protected]>> Date: Wednesday, July 25, 2018 at 9:13 AM To: "Florin Coras (fcoras)" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: "Yu, Ping" <[email protected]<mailto:[email protected]>> Subject: tls init server is too heavy Hello, Florin In current TLS openssl implementation, in each accepted TLS session, openssl_ctx_init_server needs to re-init ssl_ctx, and set key and certificate, which actually is not necessary, and normally one-time initialization is good enough. After I change this initialization to run only once, I can get around 20~30% performance improvement for CPS. I am now considering to re-architect this initialization, and one possible point is to move this to tls_start_listen. A generic tls_ssl_ctx_init can be the interface, then it will call engine specific, such as openssl ssl_ctx initialization afterward. How do you think? Thanks Ping
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10109): https://lists.fd.io/g/vpp-dev/message/10109 Mute This Topic: https://lists.fd.io/mt/23814247/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
