[sr-dev] [kamailio/kamailio] tls: much faster startup using shared SSL_CTX (#1585)

<!-- Kamailio Pull Request Template --> <!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception --> #### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [x] Optimization #### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [ ] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number) #### Description Kamailio TLS mod_init is creating one SSL_CTX, per process, some of the fonctions are taking between 1-3 seconds to execute, this is slowing down the startup sequence greatly. ``` SSL_CTX_load_verify_locations SSL_CTX_set_client_CA_list // list sent to the client SSL_load_client_CA_file SSL_CTX_get_client_CA_list ``` In fact it is safe to share the SSL_CTX since it is only used to store settings that will be used to internalize new structure, see the documentation reference : ``` tls: faster startup using shared SSL_CTX https://www.openssl.org/docs/man1.1.1/man7/ssl.html SSL_CTX (SSL Context) This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the SSL structures which are later created for the connections. ``` I load tested this with 1000 TLS connections. We could push the refactoring further, this simple modification as a huge impact since the functions are now called only once per SSL / SNI, not per process ... You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/1585 -- Commit Summary -- * tls: faster startup using shared SSL_CTX -- File Changes -- M src/modules/tls/tls_domain.c (29) -- Patch Links -- https://github.com/kamailio/kamailio/pull/1585.patch https://github.com/kamailio/kamailio/pull/1585.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/1585