Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deduplicate orderer server TLS root CAs #2029

Merged
merged 1 commit into from
Oct 20, 2020

Conversation

yacovm
Copy link
Contributor

@yacovm yacovm commented Oct 20, 2020

When the orderer TLS root CAs are updated, an aggregation of all root TLS CA certificates over all channels is injected into the PredicateDialer.
Then, upon client TLS handshake, a fresh TLS config object is built (for orthogonal purposes), however the operation entails parsing of all
root CAs all over again.

In case the orderer is part of too many channels, this induces a high and unnecessary processing overhead.

This commit simply performs a deduplication of the bespoken TLS root CA certificates prior to updating the root CAs.

Change-Id: I21b2ed483afc9595c2ccd7fbe9ec0cf475cc5f62
Signed-off-by: yacovm yacovm@il.ibm.com

@yacovm yacovm requested a review from a team as a code owner October 20, 2020 19:41
@yacovm yacovm changed the title Deduplicate server TLS root CAs Deduplicate orderer server TLS root CAs Oct 20, 2020
When the orderer TLS root CAs are updated, an aggregation of all root TLS CA certificates over all channels is injected into the PredicateDialer.
Then, upon client TLS handshake, a fresh TLS config object is built (for orthogonal purposes), however the operation entails parsing of all
root CAs all over again.

In case the orderer is part of too many channels, this induces a high and unnecessary processing overhead.

This commit simply performs a deduplication of the bespoken TLS root CA certificates prior to updating the root CAs.

Change-Id: I21b2ed483afc9595c2ccd7fbe9ec0cf475cc5f62
Signed-off-by: yacovm <yacovm@il.ibm.com>
@yacovm yacovm force-pushed the deduplicateServerRootCAs branch from b0ab47e to dddad1a Compare October 20, 2020 19:43
Copy link
Contributor

@jyellick jyellick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@jyellick jyellick merged commit 48d532f into hyperledger:master Oct 20, 2020
@yacovm
Copy link
Contributor Author

yacovm commented Oct 21, 2020

@Mergifyio backport release-2.2

@mergify
Copy link

mergify bot commented Oct 21, 2020

Command backport release-2.2: success

Backports have been created

mergify bot pushed a commit that referenced this pull request Oct 21, 2020
When the orderer TLS root CAs are updated, an aggregation of all root TLS CA certificates over all channels is injected into the PredicateDialer.
Then, upon client TLS handshake, a fresh TLS config object is built (for orthogonal purposes), however the operation entails parsing of all
root CAs all over again.

In case the orderer is part of too many channels, this induces a high and unnecessary processing overhead.

This commit simply performs a deduplication of the bespoken TLS root CA certificates prior to updating the root CAs.

Change-Id: I21b2ed483afc9595c2ccd7fbe9ec0cf475cc5f62
Signed-off-by: yacovm <yacovm@il.ibm.com>
(cherry picked from commit 48d532f)

# Conflicts:
#	orderer/common/server/main_test.go
@yacovm yacovm deleted the deduplicateServerRootCAs branch February 9, 2021 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants