an SSL handshake should not use 18 PKCS#11 sessions



17 years ago
16 years ago


(Reporter: Julien Pierre, Assigned: Ian McGreer)


Firefox Tracking Flags

(Not tracked)




17 years ago
In bug 125149, we found that the session count in softoken was increasing very
quickly. My tests showed that about 18 PKCS#11 sessions were created for each
full successful SSL handshake. We need to investigate that to see how could
reduce it.

Reducing the number of unnecessary open/close of PKCS#11 sessions will increase
performance and decrease contention .
In the future, libssl could maintain a pool of PKCS#11 sessions and reuse them
as needed when old SSL sessions are closed.


17 years ago
Priority: -- → P2
Target Milestone: --- → 3.4.1

Comment 1

16 years ago
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee

Comment 2

16 years ago
Set target milestone to NSS 3.5.
Target Milestone: 3.4.1 → 3.5

Comment 3

16 years ago
Using the logging tool from bug 98926, I got the following numbers for full
handshake, client auth on both handshakes (selfserv -r -r -r -r):

[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 1 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
     70     140    2030
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 10 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
    610    1220   17750
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 100 -t 1 -N -C c localhost 2>&1 | grep C_OpenSession | wc
   6010   12020  179930
[k@24-164-150-83 ssl]$ strsclnt -q -n ExtendedSSLUser -p 9999 -d ext_client -w
nss -c 100 -t 10 -N -C c localhost 2>&1 | grep C_OpenSession | wc
   5136   10272  158720

Summary:  one connection used 70 PKCS#11 session, 10 connections used 610, and
100 connections used 6010.  100 connections split between 10 threads used 5136

Just FYI, I wanted to apply the tool to an existing bug.

Comment 4

16 years ago
I realized when writing bug 145322 that I used the client's numbers here,
instead of the server's.  Using the same tool, I get about the same count as
Julien, ~16 PKCS#11 sessions / full handshake.

Comment 5

16 years ago
Moved to 3.6.
Target Milestone: 3.5 → 3.6

Comment 6

16 years ago
Assigned the bug to Ian. Target NSS 3.6.

In 3.6, we should find the answers to at least these
two questions:
1. The cost of opening and closing PKCS#11 sessions.
This could tell us whether it is worthwhile to reduce
the number of PKCS#11 sessions used.
2. For the same number of SSL connections, why a program
with multiple threads use fewer PKCS#11 sessions than a
program with one thread?
Assignee: wtc → ian.mcgreer
Priority: P2 → P1

Comment 7

16 years ago
We should also try to see how many sessions are in which slot, eg. the crypto 
slot for symmetric operations and hashes, and the database slot for the RSA 

I believe both can be optimized through a session free list in the non-client 
auth case. If client auth is used, we may not be able to reuse the session for 
the database slot PKCS#11 session where the RSA operations occur.

Comment 8

16 years ago

*** This bug has been marked as a duplicate of 145322 ***
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.