Quantcast

cert mem cache

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

cert mem cache

senor
Hello all,
Is the use of dynamic_cert_mem_cache_size=SIZE on the http_port
directive any different with and without using sslcrtd_program?

Should there be a specific relationship between the amount of memory or
disk configured for the two?

On a slight tangent, what performance improvement could be expected by
using ssl_crtd? What metrics would be best to view if comparing with and
without?

Thanks in advance.
Senor
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cert mem cache

Amos Jeffries
Administrator
On 23/01/2017 12:08 p.m., senor wrote:
> Hello all,
> Is the use of dynamic_cert_mem_cache_size=SIZE on the http_port
> directive any different with and without using sslcrtd_program?
>

As far as I'm aware they are different. But Squid passes some of the
prot parameters to the helper, and with SMP there are shared blocks of
memory involved, so best to keep them the same.
 - At the very least that is the normal well-tested way of using them.

The helper uses an on-disk database/cache managed by OpenSSL as well as
the in-memory copies of popular things.
The Squid internal generator only uses in-memory AFAIK. But that may be
incorrect now, things in that area have changed a few times.

[ FYI, If Alex or Christos have differing info they know it best. ]


> Should there be a specific relationship between the amount of memory or
> disk configured for the two?

Disk - no. Memory - maybe.

>
> On a slight tangent, what performance improvement could be expected by
> using ssl_crtd? What metrics would be best to view if comparing with and
> without?
>

Without the helper the CPU timeslots assigned to Squid by the kernel
have to handle both traffic and cert generation tasks. This will
naturally be slower and add jitter to the traffic handling. However,
using a helper adds serialization overheads. So YMMV.


I'm not aware of anyone having done proper (or even rough) measurements.
Results will be traffic dependent though, since the certs are cached and
have HIT/MISS type behaviour just like any other cache data.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...