Closed
Bug 126840
Opened 23 years ago
Closed 22 years ago
an SSL handshake should not use 18 PKCS#11 sessions
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 145322
3.6
People
(Reporter: julien.pierre, Assigned: bugz)
Details
In bug 125149, we found that the session count in softoken was increasing very quickly. My tests showed that about 18 PKCS#11 sessions were created for each full successful SSL handshake. We need to investigate that to see how could reduce it. Reducing the number of unnecessary open/close of PKCS#11 sessions will increase performance and decrease contention . In the future, libssl could maintain a pool of PKCS#11 sessions and reuse them as needed when old SSL sessions are closed.
Reporter | ||
Updated•23 years ago
|
Priority: -- → P2
Target Milestone: --- → 3.4.1
Comment 1•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Assignee | ||
Comment 3•22 years ago
|
||
Using the logging tool from bug 98926, I got the following numbers for full handshake, client auth on both handshakes (selfserv -r -r -r -r): [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 1 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 70 140 2030 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 10 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 610 1220 17750 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 100 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 6010 12020 179930 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 100 -t 10 -N -C c localhost 2>&1 | grep C_OpenSession | wc 5136 10272 158720 Summary: one connection used 70 PKCS#11 session, 10 connections used 610, and 100 connections used 6010. 100 connections split between 10 threads used 5136 sessions. Just FYI, I wanted to apply the tool to an existing bug.
Assignee | ||
Comment 4•22 years ago
|
||
I realized when writing bug 145322 that I used the client's numbers here, instead of the server's. Using the same tool, I get about the same count as Julien, ~16 PKCS#11 sessions / full handshake.
Comment 6•22 years ago
|
||
Assigned the bug to Ian. Target NSS 3.6. In 3.6, we should find the answers to at least these two questions: 1. The cost of opening and closing PKCS#11 sessions. This could tell us whether it is worthwhile to reduce the number of PKCS#11 sessions used. 2. For the same number of SSL connections, why a program with multiple threads use fewer PKCS#11 sessions than a program with one thread?
Assignee: wtc → ian.mcgreer
Priority: P2 → P1
Reporter | ||
Comment 7•22 years ago
|
||
We should also try to see how many sessions are in which slot, eg. the crypto slot for symmetric operations and hashes, and the database slot for the RSA operations. I believe both can be optimized through a session free list in the non-client auth case. If client auth is used, we may not be able to reuse the session for the database slot PKCS#11 session where the RSA operations occur.
Assignee | ||
Comment 8•22 years ago
|
||
*** This bug has been marked as a duplicate of 145322 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•