In bug 125149, we found that the session count in softoken was increasing very quickly. My tests showed that about 18 PKCS#11 sessions were created for each full successful SSL handshake. We need to investigate that to see how could reduce it. Reducing the number of unnecessary open/close of PKCS#11 sessions will increase performance and decrease contention . In the future, libssl could maintain a pool of PKCS#11 sessions and reuse them as needed when old SSL sessions are closed.
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Set target milestone to NSS 3.5.
Target Milestone: 3.4.1 → 3.5
Using the logging tool from bug 98926, I got the following numbers for full handshake, client auth on both handshakes (selfserv -r -r -r -r): [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 1 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 70 140 2030 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 10 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 610 1220 17750 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 100 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc 6010 12020 179930 [k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w nss -c 100 -t 10 -N -C c localhost 2>&1 | grep C_OpenSession | wc 5136 10272 158720 Summary: one connection used 70 PKCS#11 session, 10 connections used 610, and 100 connections used 6010. 100 connections split between 10 threads used 5136 sessions. Just FYI, I wanted to apply the tool to an existing bug.
I realized when writing bug 145322 that I used the client's numbers here, instead of the server's. Using the same tool, I get about the same count as Julien, ~16 PKCS#11 sessions / full handshake.
Moved to 3.6.
Target Milestone: 3.5 → 3.6
Assigned the bug to Ian. Target NSS 3.6. In 3.6, we should find the answers to at least these two questions: 1. The cost of opening and closing PKCS#11 sessions. This could tell us whether it is worthwhile to reduce the number of PKCS#11 sessions used. 2. For the same number of SSL connections, why a program with multiple threads use fewer PKCS#11 sessions than a program with one thread?
Assignee: wtc → ian.mcgreer
Priority: P2 → P1
We should also try to see how many sessions are in which slot, eg. the crypto slot for symmetric operations and hashes, and the database slot for the RSA operations. I believe both can be optimized through a session free list in the non-client auth case. If client auth is used, we may not be able to reuse the session for the database slot PKCS#11 session where the RSA operations occur.
*** This bug has been marked as a duplicate of 145322 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.