Closed Bug 126840 Opened 23 years ago Closed 22 years ago

an SSL handshake should not use 18 PKCS#11 sessions

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 145322

People

(Reporter: julien.pierre, Assigned: bugz)

Details

In bug 125149, we found that the session count in softoken was increasing very
quickly. My tests showed that about 18 PKCS#11 sessions were created for each
full successful SSL handshake. We need to investigate that to see how could
reduce it.

Reducing the number of unnecessary open/close of PKCS#11 sessions will increase
performance and decrease contention .
In the future, libssl could maintain a pool of PKCS#11 sessions and reuse them
as needed when old SSL sessions are closed.
Priority: -- → P2
Target Milestone: --- → 3.4.1
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Set target milestone to NSS 3.5.
Target Milestone: 3.4.1 → 3.5
Using the logging tool from bug 98926, I got the following numbers for full
handshake, client auth on both handshakes (selfserv -r -r -r -r):

[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 1 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
     70     140    2030
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 10 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
    610    1220   17750
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 100 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
   6010   12020  179930
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 100 -t 10 -N -C c localhost 2>&1 | grep C_OpenSession | wc
   5136   10272  158720


Summary:  one connection used 70 PKCS#11 session, 10 connections used 610, and
100 connections used 6010.  100 connections split between 10 threads used 5136
sessions.

Just FYI, I wanted to apply the tool to an existing bug.
I realized when writing bug 145322 that I used the client's numbers here,
instead of the server's.  Using the same tool, I get about the same count as
Julien, ~16 PKCS#11 sessions / full handshake.
Moved to 3.6.
Target Milestone: 3.5 → 3.6
Assigned the bug to Ian. Target NSS 3.6.

In 3.6, we should find the answers to at least these
two questions:
1. The cost of opening and closing PKCS#11 sessions.
This could tell us whether it is worthwhile to reduce
the number of PKCS#11 sessions used.
2. For the same number of SSL connections, why a program
with multiple threads use fewer PKCS#11 sessions than a
program with one thread?
Assignee: wtc → ian.mcgreer
Priority: P2 → P1
We should also try to see how many sessions are in which slot, eg. the crypto 
slot for symmetric operations and hashes, and the database slot for the RSA 
operations.

I believe both can be optimized through a session free list in the non-client 
auth case. If client auth is used, we may not be able to reuse the session for 
the database slot PKCS#11 session where the RSA operations occur.


*** This bug has been marked as a duplicate of 145322 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.