Pre-Submission Checklist

• Commit message has the format required by CONTRIBUTING guide
• Commits are split per component (core, individual modules, libs, utils, ...)
• Each component has a single commit (if not, squash them into one commit)
• No commits to README files for modules (changes must be done to docbook files
  in doc/ subfolder, the README file is autogenerated)

Type Of Change

• Small bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds new functionality)
• Breaking change (fix or feature that would change existing functionality)
• Optimization

Checklist:

• PR should be backported to stable branches
• Tested changes locally
• Related to issue #XXXX (replace XXXX with an open issue number)

Description

Kamailio
TLS mod_init is creating one SSL_CTX, per process, some of the fonctions are taking between 1-3 seconds to execute, this is slowing down the startup sequence greatly.

SSL_CTX_load_verify_locations
SSL_CTX_set_client_CA_list  // list sent to the client
SSL_load_client_CA_file
SSL_CTX_get_client_CA_list

In fact it is safe to share the SSL_CTX since it is only used to store settings that will be used to internalize new structure, see the documentation reference :

    tls: faster startup using shared SSL_CTX
    
    https://www.openssl.org/docs/man1.1.1/man7/ssl.html
    SSL_CTX (SSL Context)
    This is the global context structure which is created by a server or
    client once per program life-time and which holds mainly default values
    for the SSL structures which are later created for the connections.

I load tested this with 1000 TLS connections.
We could push the refactoring further, this simple modification as a huge impact since the functions are now called only once per SSL / SNI, not per process ...

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/1585

Commit Summary

• tls: faster startup using shared SSL_CTX

File Changes

• M src/modules/tls/tls_domain.c (29)

Patch Links:

• https://github.com/kamailio/kamailio/pull/1585.patch
• https://github.com/kamailio/kamailio/pull/1585.diff

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.