[Nginx] Performance Analysis --SNI nginx source Analysis Method [nginx] SNI function using nginx

Others 2019-10-23 19:12:22 views: null

concept

We already know what is SNI, SNI and how to configure users.

[Nginx] nginx SNI functionality of the method used

 

problem

By observing the configuration file can be found for each SSL TLS link, nginx will find / dynamics (load), to find the correct certificate.

Well, in this process, and the absence of SNI configuration of circumstances, what similarities and differences between the performance of it?

Through the analysis of the relevant parts of the source nginx, we will give the answer to this question.

(I do not care about the source code, you can directly turn to later see the "Conclusions" section.)

 [classic_tong @ 20191023]

Map with the truth

 

analysis

As shown in FIG

1 module

nginx uses two modules (here only analyzed for http, stream your own analogy) to complete the process of tls, ngx_openssl_module and

ngx_http_ssl_module. The former being the core module. The latter is http module.

The core module will be called ngx_ssl_init master process () function to load, complete global process, including the initialization of the openssl.

http http module frame is completed by the process, it can be divided into a configuration phase and resolution phase of the connection.

 

2 configuration phase

Figure in the red box "process two." This stage is the stage of progressive processing profile. At this stage, merge ssl server config time,

http_ssl_module will judge whether the function is configured SNI.

 

If no , you will call ngx_ssl_certificate () function loads the certificate chain inside all certificates

, It is read into memory and stored in the global configuration file ctx structure of it. ctx structure is openssl api in the global context, it will be passed as a parameter

To api openssl is, when processing OpenSSL connection, will in the certificate chain ctx copies (By SSL_new interfaces) to connect in the structure,

Openssl connect the scope structure are connected tls level.

 

If you configure SNI , http_ssl_module will not load the certificate chain, but the configuration of the multivariate analysis compiled standby, ready for operation.

At the same time, there will be () function to set a callback function ngx_http_ssl_certificate () by the openssl SSL_CTX_set_cert_cb, the function will

Before entering ssl handshake, giving the user a chance to modify the certificate information. The callback is done in SSL_do_handshake () in.

# man SSL_CTX_set_cert_cb
cert_cb() is the application defined callback. It is called before a certificate will be used by a client or server. 
The callback can then inspect the passed ssl structure and set or clear any appropriate certificates.

  [classic_tong @ 20191023]

Request Phase 3

FIG red box "process III"

In the request phase, "if the feature is enabled SNI" is not to be perceived by nginx. SNI all the logic will set the text callback front ngx_http_ssl_certificate ()

Completed. nginx ssl module frame with just normal service logic processing is completed.

In the callback function, the application will first request a structure as an intermediate storage. Then the certificate chain is completed by loading the openssl BIO interfaces, and linked to

connect openssl's structure. Then, request just applied will be released (here side built a pool, this pool is memory from the operating system, applications).

This process together with the configuration phase of the multiplex function ngx_ssl_load_certificate (), the whole process did not participate in the global context ctx after the end of the chain link certificate will be released.

The new link will next re-loaded once the certificate chain.

 

4 openssl

There were observed two processes without SNI and SNI will find the following differences api call sequence, the key is whether the context ctx.

No sni when using SSL_CTX_use_certificate () function, there is sni when using SSL_use_certificate () function.

Find the document, compare the difference between:

# man SSL_CTX_use_certificate
The SSL_CTX_* class of functions loads the certificates and keys into the SSL_CTX object ctx. The information is passed
to SSL objects ssl created from ctx with SSL_new(3) by copying, so that changes applied to ctx do not propagate to already existing SSL objects.

The SSL_* class of functions only loads certificates and keys into a specific SSL object. The specific 
information is kept, when SSL_clear(3) is called for this SSL object.

From the side confirms the results of our analysis, interested can read the full manual, not repeat them here.

 

Experiment 5

Up to now all the analyzes are based on nginx will openssl as a black box. Does not rule out stringent openssl done a specifically optimized to prevent multiple load

Possible certificate chains. In order to confirm the analysis, do the following experiment, after the SNI configuration, multiple requests to use the same certificate. Gdb through observation, every time whether to enter the callback function and reload

Certificate chain.

616         if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
(gdb) n
627             if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert)
(gdb) 
634             bio = BIO_new_file((char *) cert->data, "r");
(gdb) 
635             if (bio == NULL) {
(gdb) 
643         x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
(gdb) bt
#0  ngx_ssl_load_certificate (pool=0x55825f636240, err=0x7ffd32750868, cert=0x7ffd32750900, chain=0x7ffd32750870) at src/event/ngx_event_openssl.c:643
#1  0x000055825ed31d79 in ngx_ssl_connection_certificate (c=0x55825f64c0c0, pool=0x55825f636240, cert=0x7ffd32750900, key=0x7ffd32750910, passwords=0x55825f0df860 <empty_passwords.29651>) at src/event/ngx_event_openssl.c:546
#2  0x000055825ee378ef in ngx_stream_ssl_certificate (ssl_conn=0x55825f632c70, arg=0x55825f63def0) at src/stream/ngx_stream_ssl_module.c:530
#3  0x00007efed0277b3c in tls_post_process_client_hello () from /opt/openssl/lib/libssl.so.1.1
#4  0x00007efed026d362 in state_machine () from /opt/openssl/lib/libssl.so.1.1
#5  0x00007efed0265991 in SSL_do_handshake () from /opt/openssl/lib/libssl.so.1.1
#6  0x000055825ed33f27 ngx_ssl_handshake (c = 0x55825f64c0c0 ) at src / event /ngx_event_openssl.c: 1683 
# 7   0x000055825ed34671  in ngx_ssl_handshake_handler (Ev = 0x55825f66dec0 ) at src / event /ngx_event_openssl.c: 1992 
# 8   0x000055825ed2dae8  in ngx_epoll_process_events (Cycle = 0x55825f62d4a0 , timer = 60000 flags = 1 ) at src / event /modules/ngx_epoll_module.c: 957 
# 9   0x000055825ed185cf  in ngx_process_events_and_timers (Cycle =0x55825f62d4a0) at src/event/ngx_event.c:242
#10 0x000055825ed2a4d4 in ngx_worker_process_cycle (cycle=0x55825f62d4a0, data=0x0) at src/os/unix/ngx_process_cycle.c:759
#11 0x000055825ed26305 in ngx_spawn_process (cycle=0x55825f62d4a0, proc=0x55825ed2a3d4 <ngx_worker_process_cycle>, data=0x0, name=0x55825ee6e4fb "worker process", respawn=-3) at src/os/unix/ngx_process.c:199
#12 0x000055825ed29018 in ngx_start_worker_processes (cycle=0x55825f62d4a0, n=1, type=-3) at src/os/unix/ngx_process_cycle.c:359
#13 0x000055825ed284fb in ngx_master_process_cycle (cycle=0x55825f62d4a0) at src/os/unix/ngx_process_cycle.c:131
#14 0x000055825ecdf1d9 in main (argc=1, argv=0x7ffd327511a8) at src/core/nginx.c:382
(gdb)

(Leave a call stack, easy to look after.)

Through the experiment, each certificate will be carried out by api BIO_new_file reload unless the function is optimized, otherwise, each certificate for each link of disk IO operations will take place.

 

in conclusion

After configuring the SNI function, nginx TLS link request processing will result in performance loss. Loss of granularity for each link level.

Each ssl / tls additional links will occur: a memory allocation and release; all certificates on a group of certificate chain loading disk IO.

 

improve proposals

I think the memory of the application can be ignored, because when the original request is also required to deal with OS application memory. More crucial is that the disk IO.

A first embodiment , all certificates may be placed in the memory file system, this scheme does not require trimming code.

The second option , rewriting ngx_http_ssl_certificate (), although certificates are dynamically selected, but as long as in the case of an alternative set determination, we still

Can be pre-loaded, IO removed runtime. The introduction of restrictions are: 1 candidate set can not be changed in real time, the number of collection element 2 certificate needs to set an upper limit.

 [classic_tong @ 20191023] 

Guess you like

Origin www.cnblogs.com/hugetong/p/11728032.html
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com