Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SSL object cache #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 1, 2024
Merged

SSL object cache #140

merged 6 commits into from
Oct 1, 2024
+1,094 −358

Conversation

@pluknet
Copy link
Contributor

@pluknet pluknet commented Sep 9, 2024

Proposed changes

WIP as obtained from https://mailman.nginx.org/pipermail/nginx-devel/2024-August/IKMUSKO6KA3UCDEJTXKDPZZZOEZ3THSO.html

The series adds object caching of statically specified certificates, certificate keys, CRLs, and CA ceritficates.

@pluknet pluknet force-pushed the ssl-cache branch 2 times, most recently from fc58084 to c51af6b Compare September 16, 2024 12:55
@pluknet
Copy link
Contributor Author

pluknet commented Sep 16, 2024

changes:

  • restored to always use the full name to avoid object duplicates and relative paths in logs
  • restored to support "data:" special value only for certificates/keys
  • removed using transient pool
  • removed duplicate string comparison for "data:" and "engine:" by caching this data in bit fields

@pluknet
Copy link
Contributor Author

pluknet commented Sep 19, 2024

changes:

  • restored ngx_ssl_certificate_name_index
  • misc.

@pluknet pluknet requested a review from arut September 19, 2024 14:32
bavshin-f5
bavshin-f5 approved these changes Sep 23, 2024
View reviewed changes
Copy link
Member

@bavshin-f5 bavshin-f5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@pluknet
SSL: moved certificate storage out of exdata.
9d87922 
Instead of cross-linking the objects using exdata, pointers to configured
certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed
with rbtree in it.  This allows sharing these objects between SSL contexts.

Based on previous work by Mini Hawthorne.
arut
arut reviewed Sep 28, 2024
View reviewed changes
arut
arut reviewed Sep 28, 2024
View reviewed changes
arut
arut reviewed Sep 28, 2024
View reviewed changes
@pluknet
Copy link
Contributor Author

pluknet commented Sep 30, 2024

changes:

  • applied ngx_ssl_cache_fetch() simplification
  • added comment about ngx_ssl_cert_already_in_hash (requested by @arut in private), and some style

arut
arut approved these changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@arut arut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

bavshin-f5
bavshin-f5 reviewed Sep 30, 2024
View reviewed changes
@pluknet
SSL: object caching.
04ebfac 
Added ngx_openssl_cache_module, which indexes a type-aware object cache.
It maps an id to a unique instance, and provides references to it, which
are dropped when the cycle's pool is destroyed.

The cache will be used in subsequent patches.

Based on previous work by Mini Hawthorne.
@pluknet
SSL: caching certificates.
829bacc 
Certificate chains are now loaded once.

The certificate cache provides each chain as a unique stack of reference
counted elements.  This shallow copy is required because OpenSSL stacks
aren't reference counted.

Based on previous work by Mini Hawthorne.
@pluknet
SSL: caching certificate keys.
4e01dca 
EVP_KEY objects are a reference-counted container for key material, shallow
copies and OpenSSL stack management aren't needed as with certificates.

Based on previous work by Mini Hawthorne.
@pluknet
SSL: caching CRLs.
0407fe5 
Based on previous work by Mini Hawthorne.
@pluknet
SSL: caching CA certificates.
fc253a0 
This can potentially provide a large amount of savings,
because CA certificates can be quite large.

Based on previous work by Mini Hawthorne.
@pluknet pluknet merged commit 5917e9d into nginx:master Oct 1, 2024
@pluknet pluknet deleted the ssl-cache branch October 1, 2024 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arut arut arut approved these changes

@bavshin-f5 bavshin-f5 bavshin-f5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pluknet @arut @bavshin-f5