Ceph : Mark Koganhttps://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2024-03-11T11:17:10ZCeph
Redmine rgw - Backport #64766 (In Progress): reef: SSL session id reuse speedup mechanism of the SSL_CTX_...https://tracker.ceph.com/issues/64766#change-2565392024-03-11T11:17:10ZMark Koganmkogan@redhat.comrgw - Backport #64767 (In Progress): quincy: SSL session id reuse speedup mechanism of the SSL_CT...https://tracker.ceph.com/issues/64767#change-2565372024-03-11T11:07:50ZMark Koganmkogan@redhat.comrgw - Bug #64719 (Pending Backport): SSL session id reuse speedup mechanism of the SSL_CTX_set_se...https://tracker.ceph.com/issues/647192024-03-05T14:16:47ZMark Koganmkogan@redhat.com
<p>The OpenSSL session-id reuse acceleration mechanism that is described in SSL_CTX_set_session_id_context</p>
<p><a class="external" href="https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_session_id_context.html">https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_session_id_context.html</a><br /><em>SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)</em></p>
<p>is not operating currently.</p>
<p>The check methodology is with the 'openssl s_client' command below , note the `--reconnect` which is reconnecting 5 times:<br /><pre>
echo "" | openssl s_client -connect 0:8443 --reconnect -no_ticket -tls1_2 |& grep Session-ID
</pre><br />When not working correctly the session-ids will be different<br />when working correctly the session-ids will be the same <br />(see example below)</p>
<p>performance measurments:<br />when the mechanism is not working performing a loop of 1000 openssl --connect --reconnect ... takes 38.870 seconds<br />when the mechanism is working performing a loop of 1000 openssl --connect --reconnect ... takes 16.038 seconds</p>
<pre>
// BEFORE FIX:
❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done)
( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect | ) 9.19s user 6.67s system 40% cpu 38.870 total
^^^^^^
❯ cat openssl.txt
Session-ID: 0CAB532FC91584CAC1BBB0A91FF874C88CD4233C426BD7F5332E6A32643DB668
Session-ID: E8349831EC98AC87215FAFCA12CC8573DEEDB4845522D417103AEB5109C5407D
Session-ID: 6B5B566EDE2D84F8D43F023D451896FF9B50DF4EA1AE76EED9300AB2C8730B10
Session-ID: ACDBD3EEDC4416C685BE962A6402869A6ECD25C00474EE457216C644E40719ED
Session-ID: AB4C2EC629017FE0433C3B3702AB44E0030F5FDFEF0D48117958034BC71F3AF7
Session-ID: 56BE99BC9E55A29A72A10B3BB88EEB3C40ED381140484382EB36186A5B56FB59
// AFTER FIX:
❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done)
( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect | ) 7.94s user 5.86s system 86% cpu 16.038 total
^^^^^^
❯ cat openssl.txt
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
</pre>