Bug #64719: SSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working - rgw - Ceph

Actions

Copy link

Bug #64719

open

SSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working

Added by Mark Kogan about 2 months ago. Updated about 2 months ago.

Status:

Pending Backport

Priority:

Normal

Assignee:

Mark Kogan

Target version:

Ceph - v19.0.0

% Done:

Source:

Development

Tags:

beast ssl backport_processed

Backport:

quincy reef squid

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

55967

Crash signature (v1):

Crash signature (v2):

Description

The OpenSSL session-id reuse acceleration mechanism that is described in SSL_CTX_set_session_id_context

https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_session_id_context.html
SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)

is not operating currently.

The check methodology is with the 'openssl s_client' command below , note the `--reconnect` which is reconnecting 5 times:

echo "" | openssl s_client -connect 0:8443 --reconnect -no_ticket -tls1_2 |& grep Session-ID

When not working correctly the session-ids will be different
when working correctly the session-ids will be the same
(see example below)

performance measurments:
when the mechanism is not working performing a loop of 1000 openssl --connect --reconnect ... takes 38.870 seconds
when the mechanism is working performing a loop of 1000 openssl --connect --reconnect ... takes 16.038 seconds

// BEFORE FIX:
❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done)
( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect     | )  9.19s user 6.67s system 40% cpu 38.870 total
                                                                                                                ^^^^^^
❯ cat openssl.txt
    Session-ID: 0CAB532FC91584CAC1BBB0A91FF874C88CD4233C426BD7F5332E6A32643DB668
    Session-ID: E8349831EC98AC87215FAFCA12CC8573DEEDB4845522D417103AEB5109C5407D
    Session-ID: 6B5B566EDE2D84F8D43F023D451896FF9B50DF4EA1AE76EED9300AB2C8730B10
    Session-ID: ACDBD3EEDC4416C685BE962A6402869A6ECD25C00474EE457216C644E40719ED
    Session-ID: AB4C2EC629017FE0433C3B3702AB44E0030F5FDFEF0D48117958034BC71F3AF7
    Session-ID: 56BE99BC9E55A29A72A10B3BB88EEB3C40ED381140484382EB36186A5B56FB59

// AFTER FIX:
❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done)
( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect     | )  7.94s user 5.86s system 86% cpu 16.038 total
                                                                                                                ^^^^^^
❯ cat openssl.txt
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593                                                                                                         
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593                                                                                                         
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593                                                                                                         
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593                                                                                                         
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
    Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593

Related issues 3 (1 open — 2 closed)