possible optimization: repetitive private key reads #20045
Comments
howardjohn
added
enhancement
|
Sounds possible if a cluster use only one Envoy, then all repetitive keys in the Envoy config could be read once. BTW, is RSA still widely used even its poor performance? |
|
While a SSL_CTX is relative hard to share across clusters, my hunch is that private key and tls certificate are supposed to immutable and shared. There are definitely lots of issues need to be resolved if we'd like to share cert chain among various TlsContext |
|
This can be definitely done. Most of the work is migration from |
|
Thank you @PiotrSikora Though the goal is slightly different, #10621 is a great source to understand the underlying load/verification. By reading it, I can confirm lots of TODOs if I want to go with the shared X509, such as the same underlying cert chain bytes can be valid in ssl_ctx_A but invalid in ssl_ctx_B. I don't understand if CRYPTO_BUFFER can save CPU cycles or memory footprint. If there are, what are they? |
The stated goal is different, but 90%+ of the code is the same.
I suspect BoringSSL doesn't process new certificates if they already exist in the |
adisuissa
added
area/perf
area/tls
help wanted
Title: possible optimization: repetitive private key reads
Description:
When investigating #19774, I found another area that may be improved (possibly). Currently, for each cluster/listener, we do a full boringssl processing of the same key/cert pair (I think). This ends up being fairly expensive at scale. With a large number of clusters, startup time is decreased from 5.5s to 4.5s in my tests when using 2048 bit RSA keys vs ECDSA keys (since they are cheaper to process).
RSA:
ECDSA:
I know very little about boringssl or the lifecycles here, but my naive thought is that it could be read once and shared among each cluster
cc @lambdai
The text was updated successfully, but these errors were encountered: