On 04/26/2017 09:35 AM,
Yuri Voinov wrote:
> This is openssl issue or squid's?
AFAIK, the underlying issue (i.e., bug #4005) is
mostly a Squid problem:
Squid is caching SSL contexts (instead of
certificates) and does a poor
job maintaining that cache.
Earlier OpenSSL versions (that had to be used
when the original code was
written) complicated solving this problem.
OpenSSL v1.0.1+ added APIs
that simplify some aspects of the anticipated
fix. Certain OpenSSL
aspects will continue to hurt Squid, even with
OpenSSL v1.0.1, but if
you want to blame a single project (instead of
both), blame Squid.
> Why sessions can't share CA's data cached
in memory? shared_ptr invented
> already.
OpenSSL knew how to share things well before
std::shared_ptr became
available. However, it is the responsibility of
the application to tell
OpenSSL what to create from scratch and what to
share. A part of the
problem is that Squid tells OpenSSL to create
many large things from
scratch and then caches those large things while
underestimating their
size by several(?) orders of magnitude (and
probably also missing many
cache hits).
More details, including the difference between
problems associated with
from-client and to-server connections, are
documented in the "Memory
Usage" section of
http://wiki.squid-cache.org/Features/SslBump
wiki.squid-cache.org
Squid-in-the-middle
decryption and encryption of
straight CONNECT and transparently
redirected SSL traffic, using
configurable CA certificates.
|
FWIW, we have spent a lot of resources on
triaging this problem and
drafting possible solutions (in various
overlapping areas), but there is
currently no sponsor to finalize and implement
any of the fixes. AFAIK,
bug #4005 is stuck.
I am glad that NO_DEFAULT_CA helps mitigate some
of the problems in some
environments.
HTH,
Alex.
> 26.04.2017 9:08, Amos Jeffries пишет:
>> On 26/04/17 10:53, Yuri Voinov wrote:
>>> Ok, but how NO_DEFAULT_CA should
help with this?
>>
>> It prevents OpenSSL copying that 1MB
into each incoming client
>> connections memory. The CAs are only
useful there when you have some
>> of the global CAs as root for client
certificates - in which case you
>> still only want to trust the roots you
paid for service and not all of
>> them.
>>
>> Just something to try if there are huge
memory issues with TLS/SSL
>> proxying. The default behaviour is
fixed for Squid-4 with the config
>> options changes. But due to being a
major surprise for anyone already
>> relying on global roots for client
certs it remains a problem in 3.5.
>>
>> Amos
>>
>>
_______________________________________________
>> squid-users mailing list
>>
squid-users@xxxxxxxxxxxxxxxxxxxxx
>>
http://lists.squid-cache.org/listinfo/squid-users
lists.squid-cache.org
squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users
|
>
>
>
>
_______________________________________________
> squid-users mailing list
>
squid-users@xxxxxxxxxxxxxxxxxxxxx
>
http://lists.squid-cache.org/listinfo/squid-users
lists.squid-cache.org
squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users
|
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
lists.squid-cache.org
squid-users -- General
discussion relating to Squid. The
membership of this list is thousands
of Squid users from around the world
About squid-users
|