On 23/01/2017 12:08 p.m., senor wrote:
> Hello all,
> Is the use of dynamic_cert_mem_cache_size=SIZE on the http_port
> directive any different with and without using sslcrtd_program?
As far as I'm aware they are different. But Squid passes some of the
prot parameters to the helper, and with SMP there are shared blocks of
memory involved, so best to keep them the same.
- At the very least that is the normal well-tested way of using them.
The helper uses an on-disk database/cache managed by OpenSSL as well as
the in-memory copies of popular things.
The Squid internal generator only uses in-memory AFAIK. But that may be
incorrect now, things in that area have changed a few times.
[ FYI, If Alex or Christos have differing info they know it best. ]
> Should there be a specific relationship between the amount of memory or
> disk configured for the two?
Disk - no. Memory - maybe.
> On a slight tangent, what performance improvement could be expected by
> using ssl_crtd? What metrics would be best to view if comparing with and
Without the helper the CPU timeslots assigned to Squid by the kernel
have to handle both traffic and cert generation tasks. This will
naturally be slower and add jitter to the traffic handling. However,
using a helper adds serialization overheads. So YMMV.
I'm not aware of anyone having done proper (or even rough) measurements.
Results will be traffic dependent though, since the certs are cached and
have HIT/MISS type behaviour just like any other cache data.