[openssl-users] Performance problems with OpenSSL and threading
John Foley
foleyj at cisco.com
Fri May 1 22:33:18 UTC 2015
Yes, if you never call FIPS_mode_set(), the POST will never run. I'll
defer to the experts on your other questions.
On 05/01/2015 05:10 PM, Bryan Call wrote:
> So can I assume the FIPS POST has completed if I never call FIPS_mode_set() in the code? I was confused about that.
>
> When we call SSL_read() and get a 0 byte return we call SSL_get_error() to see if there was an error not not. Maybe there is a more efficient handle this, like looking at the shutdown flag?
>
> 0 The read operation was not successful. The reason may either be a
> clean shutdown due to a "close notify" alert sent by the peer (in
> which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state
> is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also
> possible, that the peer simply shut down the underlying transport
> and the shutdown is incomplete. Call SSL_get_error() with the
> return value ret to find out, whether an error occurred or the
> connection was shut down cleanly (SSL_ERROR_ZERO_RETURN).
>
> When we call SSL_accept we also call SSL_get_error() to see we need to read or write. Is there a more efficient way to tell if we need to read or write?
>
> If the underlying BIO is non-blocking, SSL_accept() will also return
> when the underlying BIO could not satisfy the needs of SSL_accept() to
> continue the handshake, indicating the problem by the return value -1.
> In this case a call to SSL_get_error() with the return value of
> SSL_accept() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
> The calling process then must repeat the call after taking appropriate
> action to satisfy the needs of SSL_accept(). The action depends on the
> underlying BIO. When using a non-blocking socket, nothing is to be
> done, but select() can be used to check for the required condition.
> When using a buffering BIO, like a BIO pair, data must be written into
> or retrieved out of the BIO before being able to continue.
>
>
> Thank you...
>
> -Bryan
>
>
>
>
>> On May 1, 2015, at 5:34 AM, John Foley <foleyj at cisco.com> wrote:
>>
>> Lock #1 is CRYPTO_LOCK_ERR, which I believe is used for logging errors. It appears your application is generating a lot of errors for some reason. Never tried it myself, but you probably can't disable this lock with multiple threads running. You should take a look at the error log to identify the cause of the errors. Then resolve the issue, whatever it may be.
>>
>>
>>
>> On 04/30/2015 06:52 PM, Bryan Call wrote:
>>> This is for Apache Traffic Server and we have no knobs for turning on/off FIPS. I am thinking about always disabling FIPS right now and that would happen before we create the threads.
>>>
>>> I was able to get rid of all the FIPS lock connection with the changes you recommend (Big Thanks!). The big one now is type 1. I am printing out the log every time the contention total is mod 1M. Are there any tricks I can do for type 1 locks?
>>>
>>> [Apr 30 22:46:49.549] Server {0x7f1e4531d700} ERROR: contention for lock - total contention: 4000000 waiting: 1 file: pmeth_lib.c line: 185 type: 10
>>> [Apr 30 22:46:49.688] Server {0x7f1e45822700} ERROR: contention for lock - total contention: 11000000 waiting: 2 file: err.c line: 469 type: 1
>>> [Apr 30 22:46:50.406] Server {0x7f1e45c26700} ERROR: contention for lock - total contention: 4000000 waiting: 0 file: ex_data.c line: 304 type: 2
>>> [Apr 30 22:46:50.932] Server {0x7f1e45b25700} ERROR: contention for lock - total contention: 12000000 waiting: 5 file: err.c line: 446 type: 1
>>> [Apr 30 22:46:52.001] Server {0x7f1e45721700} ERROR: contention for lock - total contention: 1000000 waiting: 0 file: rand_lib.c line: 212 type: 19
>>>
>>> -Bryan
>>>
>>>
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> .
>
More information about the openssl-users
mailing list