performance is affected after merge OCSP changeset
Roman Arutyunyan
arut at nginx.com
Thu Oct 21 12:15:06 UTC 2021
On Tue, Oct 19, 2021 at 01:07:56PM +0300, Sergey Kandaurov wrote:
>
> > On 12 Oct 2021, at 14:31, Sergey Kandaurov <pluknet at nginx.com> wrote:
> >
> >
> >> On 12 Oct 2021, at 10:41, sun edward <sunzhiyong3210 at gmail.com> wrote:
> >>
> >> Hi,
> >> There is a changeset fe919fd63b0b "client certificate validation with OCSP" , after merge this changeset, the performance seems not as good as before, the avg response time increased about 50~60ms. is there a way to optimize this problem?
> >>
> >
> > Are you referring to processing 0-RTT HTTP/3 requests?
> >
> > Anyway, please try this change and report back.
> >
> > # HG changeset patch
> > # User Sergey Kandaurov <pluknet at nginx.com>
> > # Date 1634038108 -10800
> > # Tue Oct 12 14:28:28 2021 +0300
> > # Branch quic
> > # Node ID af4bd86814fdd0a2da3f7b8a965c41923ebeedd5
> > # Parent 9d47948842a3fd1c658a9676e638ef66207ffdcd
> > QUIC: speeding up processing 0-RTT.
> >
> > After fe919fd63b0b, processing 0-RTT was postponed until after handshake
> > completion (typically seen as 2-RTT), including both ssl_ocsp on and off.
> > This change allows to start OCSP checks with reused SSL handshakes,
> > which eliminates 1 additional RTT allowing to process 0-RTT as expected.
> >
> > diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> > --- a/src/event/quic/ngx_event_quic_ssl.c
> > +++ b/src/event/quic/ngx_event_quic_ssl.c
> > @@ -410,6 +410,10 @@ ngx_quic_crypto_input(ngx_connection_t *
> > return NGX_ERROR;
> > }
> >
> > + if (SSL_session_reused(c->ssl->connection)) {
> > + goto ocsp;
> > + }
> > +
> > return NGX_OK;
> > }
> >
> > @@ -463,6 +467,7 @@ ngx_quic_crypto_input(ngx_connection_t *
> > return NGX_ERROR;
> > }
> >
> > +ocsp:
> > rc = ngx_ssl_ocsp_validate(c);
> >
> > if (rc == NGX_ERROR) {
> >
>
> Below is alternative patch, it brings closer to how OCSP validation
> is done with SSL_read_early_data(), with its inherent design flaws.
> Namely, the case of regular SSL session reuse is still pessimized,
> but that shouldn't bring further slowdown with ssl_ocsp disabled,
> which is slow by itself.
>
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1634637049 -10800
> # Tue Oct 19 12:50:49 2021 +0300
> # Branch quic
> # Node ID 6f26d6656b4ef97a3a245354bd7fa9e5c8671237
> # Parent 1798acc01970ae5a03f785b7679fe34c32adcfea
> QUIC: speeding up processing 0-RTT.
>
> After fe919fd63b0b, processing QUIC streams was postponed until after handshake
> completion, which means that 0-RTT is effectively off. With ssl_ocsp enabled,
> it could be further delayed. This differs to how SSL_read_early_data() works.
differs FROM ?
> This change unlocks processing streams on successful 0-RTT packet decryption.
>
> diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c
> +++ b/src/event/quic/ngx_event_quic.c
> @@ -989,6 +989,21 @@ ngx_quic_process_payload(ngx_connection_
> }
> }
>
> + if (pkt->level == ssl_encryption_early_data && !qc->streams.initialized) {
> + rc = ngx_ssl_ocsp_validate(c);
> +
> + if (rc == NGX_ERROR) {
> + return NGX_ERROR;
> + }
> +
> + if (rc == NGX_AGAIN) {
> + c->ssl->handler = ngx_quic_init_streams;
> +
> + } else {
> + ngx_quic_init_streams(c);
> + }
> + }
> +
> if (pkt->level == ssl_encryption_handshake) {
> /*
> * RFC 9001, 4.9.1. Discarding Initial Keys
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -463,6 +463,11 @@ ngx_quic_crypto_input(ngx_connection_t *
> return NGX_ERROR;
> }
>
> + if (qc->streams.initialized) {
> + /* done while processing 0-RTT */
> + return NGX_OK;
> + }
> +
> rc = ngx_ssl_ocsp_validate(c);
>
> if (rc == NGX_ERROR) {
>
>
> --
> Sergey Kandaurov
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
It would be nice to always call ngx_ssl_ocsp_validate() from the same source
file (presumably ngx_event_quic_ssl.c). But this does not seem to occur
naturally so let's leave it as it is.
Looks good.
PS: Also, this can be further refactored to move ngx_ssl_ocsp_validate() inside
ngx_quic_init_streams(). In this case we can only call ngx_quic_init_streams()
both times.
--
Roman Arutyunyan
More information about the nginx-devel
mailing list