[openssl-users] Sequential / parallel OpenSSL sessions with Async

Matt Caswell matt at openssl.org
Wed Aug 31 15:45:31 UTC 2016



On 31/08/16 13:17, Nicolas Brunie wrote:
> Hi All,    I have been playing around with OpenSSL ASYNC JOB and an
> asynchronous offloading engine and a stupid question came to mind:
> It is not possible to make several parallel/pending calls to SSL_read
> (or SSL_write) on a single SSL* object (with different output/input
> buffers) so that multiple offloading operation can be done in parallel
> (on a single SSL object).
>   I am quite new to TLS but it may seem that you can not enqueue
> multiple calls to the same SSL_<method> until the first one called has
> returned (in the sens completely finished and not just return an
> SSL_ERROR_WANT_ASYNC), it that so ?

You can use the new 1.1.0 "pipelining" feature to achieve something like
what you want - although it works slightly differently to the approach
you describe.

>From CHANGES:
 Added support for "pipelining". Ciphers that have the
 EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
 encryptions/decryptions simultaneously. There are currently no built-in
 ciphers with this property but the expectation is that engines will be
 able to offer it to significantly improve throughput. Support has been
 extended into libssl so that multiple records for a single connection
 can be processed in one go (for >=TLS 1.1).

See the dasync engine for an example implementation of this.

At the SSL layer see this page for a description of how pipelining works:

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_split_send_fragment.html

Essentially when you call SSL_write() you should send through a large
chunk of data in one go. You also configure OpenSSL to split this up
into multiple records (as described in the above man page). The
encryption for all records can then occur in a single call through to
the pipeline capable engine which can then process them in parallel.

It works in a similar way for SSL_read(), although it does depend on
having received multiple records in one go in order to benefit from any
possible parallelisation.

Pipelining and async are two different features which can be used
independently. However you can also combine them, so that a pipeline
capable engine could choose to work on multiple parallel
encryptions/decryptions simultaneously and return control to the
application in the meantime until the processing has been completed.

Matt




More information about the openssl-users mailing list