Actions
Bug #64719
openSSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working
% Done:
0%
Source:
Development
Tags:
beast ssl backport_processed
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Description
The OpenSSL session-id reuse acceleration mechanism that is described in SSL_CTX_set_session_id_context
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_session_id_context.html
SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)
is not operating currently.
The check methodology is with the 'openssl s_client' command below , note the `--reconnect` which is reconnecting 5 times:
echo "" | openssl s_client -connect 0:8443 --reconnect -no_ticket -tls1_2 |& grep Session-ID
When not working correctly the session-ids will be different
when working correctly the session-ids will be the same
(see example below)
performance measurments:
when the mechanism is not working performing a loop of 1000 openssl --connect --reconnect ... takes 38.870 seconds
when the mechanism is working performing a loop of 1000 openssl --connect --reconnect ... takes 16.038 seconds
// BEFORE FIX: ❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done) ( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect | ) 9.19s user 6.67s system 40% cpu 38.870 total ^^^^^^ ❯ cat openssl.txt Session-ID: 0CAB532FC91584CAC1BBB0A91FF874C88CD4233C426BD7F5332E6A32643DB668 Session-ID: E8349831EC98AC87215FAFCA12CC8573DEEDB4845522D417103AEB5109C5407D Session-ID: 6B5B566EDE2D84F8D43F023D451896FF9B50DF4EA1AE76EED9300AB2C8730B10 Session-ID: ACDBD3EEDC4416C685BE962A6402869A6ECD25C00474EE457216C644E40719ED Session-ID: AB4C2EC629017FE0433C3B3702AB44E0030F5FDFEF0D48117958034BC71F3AF7 Session-ID: 56BE99BC9E55A29A72A10B3BB88EEB3C40ED381140484382EB36186A5B56FB59 // AFTER FIX: ❯ time (for I in {1..1000}; do echo $I ; echo "" | openssl s_client -connect x.x.x.ceph.com:8443 --reconnect -no_ticket -tls1_2 |& grep 'Session-ID:' > openssl.txt ; done) ( for I in {1..1000}; do; echo $I; echo "" | openssl s_client -connect | ) 7.94s user 5.86s system 86% cpu 16.038 total ^^^^^^ ❯ cat openssl.txt Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593 Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593 Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593 Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593 Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593 Session-ID: 6791FAC534C991F5787568CCEB4DC3BE5F160872B5681AC967CFCB8864ED2593
Updated by Casey Bodley about 2 months ago
- Status changed from In Progress to Fix Under Review
- Tags set to beast ssl
- Backport set to quincy reef squid
Updated by J. Eric Ivancich about 2 months ago
- Status changed from Fix Under Review to Pending Backport
Updated by Backport Bot about 2 months ago
- Copied to Backport #64764: squid: SSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working added
Updated by Backport Bot about 2 months ago
- Copied to Backport #64766: reef: SSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working added
Updated by Backport Bot about 2 months ago
- Copied to Backport #64767: quincy: SSL session id reuse speedup mechanism of the SSL_CTX_set_session_id_context is not working added
Updated by Backport Bot about 2 months ago
- Tags changed from beast ssl to beast ssl backport_processed
Actions