-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tls resume PoC (server stateless) #57079
Conversation
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue Detailscontributes to #22977 This still needs some more testing and cleanup but it would be great to get some early feedback @bartonjs and @stephentoub With OpenSSL the general strategy is to create SSL_CTX and set some parameters. Then that is used to create individual SSL sessions. That does not really fit into .NET API surface where one create This PR is trying to reuse SSL_CTX in some cases when it seems to be safe to do so.
Windows runs always timed out for me. With #49845 claiming 15K RPS we should be on par with 16K+ unless there was another jump with 6.0. (I'll try to follow up on this with @sebastienros At this point .NET client still does not work and for that reason performance microbenchmarks are not available. Since it is getting late I'm wondering if we should add AptContext switch and ENV variable to be able to opt-out in case session reuse create problem for somebody. (not done in this PR) TL;DR This is somewhat arbitrary split but I decided to loosely follow Credentials lookup and use certificate, enabled TLS protocols and EncryptionPolicy as unique combination. Since EncryptionPolicy.NoEncryption and EncryptionPolicy.AllowNoEncryption are somewhat lame and obscure I decided to avoid them for purpose of resume and I use With that, many operation we did on The notable exception is I was also wondering if we need any other locking or grabbing extra reference on the
|
/azp run runtime |
Azure Pipelines successfully started running 1 pipeline(s). |
src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
Outdated
Show resolved
Hide resolved
Browser runs are hitting #57501, unrelated to this PR. |
@stephentoub if we get your approval for code-review, we can merge (CI is OK). |
src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h
Outdated
Show resolved
Hide resolved
src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h
Outdated
Show resolved
Hide resolved
/azp run runtime-libraries stress-ssl |
Azure Pipelines successfully started running 1 pipeline(s). |
This should be ready for any final pass @stephentoub or anybody from @dotnet/ncl
I was planning to run another round of perf tests just to be sure but I have some difficulties - most likely because main moved to 7.0. |
@@ -513,6 +519,33 @@ int32_t CryptoNative_SetCiphers(SSL_CTX* ctx, const char* cipherList, const char | |||
return ret; | |||
} | |||
|
|||
int32_t CryptoNative_SetCiphers(SSL* ssl, const char* cipherList, const char* cipherSuites) | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth asserting (cipherList != NULL) ^ (cipherSuites != NULL) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Does this only create a problem when SslServerAuthenticationOptions.ApplicationProtocols is unset? Or is it a problem if the client does not request ALPN? I take it from wrk showing an improvement that ALPN only needs to be requested by the server. If so, that's not problem for Kestrel since we always set this list even if only for "http/1.1". |
The problem I bump into as with SslServerAuthenticationOptions.ApplicationProtocols unset @halter73. The current behavior is that we don't set the callback and OpenSSL basically ignores ALPN and you get |
Is it getting backported to 6.0 ? |
@stephentoub you originally wanted to consider it for 6.0 backport. Do we have enough wins here (e.g. in TechEmpower benchmark) to justify it? |
While it'd be great to see this in 6.0, at this point I'm skeptical there's enough runway to properly validate the change with low enough risk. I think we should probably just get it in for 7.0. @danmoseley, @geoffkizer, dissent? |
@davidfowl might want to chime in here as well ;) |
Maybe good to follow up with the customers that pushed for this change. |
@davidfowl I can't find any customer pushing for the change. |
Hi @wfurt as part of integration tests for https://github.com/dotnet/templating we have arcade bot bumping runtime for us so our Error is: Is this runtime bug or our CI needs to update libssl or something else? |
It seems like you use Ubuntu 14.04 with OpenSSL 1.0.1? They are long out of support IMHO. (even Ubuntu 16 is getting pretty old) Is there chance you can bump OpenSSL to at least 1.0.2 or update the base container @DavidKarlas ? |
contributes to #22977
fixes #49845
This still needs some more testing and cleanup but it would be great to get some early feedback @bartonjs and @stephentoub
With OpenSSL the general strategy is to create SSL_CTX and set some parameters. Then that is used to create individual SSL sessions. That does not really fit into .NET API surface where one create
SslStream
and thenAuthenticateAs*
is called with varying parameters. For that reason (most likely) we always create new SSL_CTX for each stream. Aside from doing more work, this prevents TLS resume to work as the session cache and whatever is needed is linked to SSL_CTX.This PR is trying to reuse SSL_CTX in some cases when it seems to be safe to do so.
Here is impact on
connectionclosehttps
benchmark from ASP.NET on Linux.RPS jumps ~ 21x.
Windows runs always timed out for me. With #49845 claiming 15K RPS we should be on par with 16K+ unless there was another jump with 6.0. (I'll try to follow up on this with @sebastienros
At this point .NET client still does not work and for that reason performance microbenchmarks are not available.
The reason what ASP.NET shows improvement is because it is using different tool. (wrk)
Since it is getting late I'm wondering if we should add AptContext switch and ENV variable to be able to opt-out in case session reuse create problem for somebody. (not done in this PR)
TL;DR
This is somewhat arbitrary split but I decided to loosely follow Credentials lookup and use certificate, enabled TLS protocols and EncryptionPolicy as unique combination.
Since EncryptionPolicy.NoEncryption and EncryptionPolicy.AllowNoEncryption are somewhat lame and obscure I decided to avoid them for purpose of resume and I use
protocols
as key to cache attached toSslCertificateContext
e.g. unique server certificate. When SSL_CTX exist for given combination we would use it instead of creating new one when creatingSafeSslHandle
.With that, many operation we did on
SSL_CTX
needs to move toSSL
itself. Luckily OpenSSL have basically everyone in pars e.g. each operation can be done on either one. There is lot of turn in PAL code but that should mostly be 1:1 change. I also try to use consistently namingCryptoNative_SslCtx*
for operations working on SSL_CTX to make it more obvious.The notable exception is
SSL_CTX_set_alpn_select_cb
that can be set only on SSL_CTX and there is no matchingSSL_set_alpn_select_cb
. Since the logic is common I useSslSetData
andSslGetData
to attache the specific ALPN list toSSL
itself and I grab it again inAlpnServerSelectCallback
.That seems to work quite well.
The resining problem is that once the callback is sett it MUST choose ALPN and it cannot wet run NULL.
That creates problem for cases when ALPN is not requested. I don't know how common that is but for now I exclude that from cache lookup. That can be easily fixed if needed either be factoring ALPN to cache lookup or simply by creating parallel cache. (would cost extra dictionary per server/SslCertificateContext)
maybe @Tratcher has some idea how important that is.
I was also wondering if we need any other locking or grabbing extra reference on the
SafeSslContextHandle
.Since we are new freeing it immediately it feels like we don't as life cycle will be linked to the
SslCertificateContext
.That is not IDisposable so it will live as long as there is reference to it.