回复：Re: Openssl 1.1.0f Support

i***@sina.cn

2017-09-22 02:55:25 UTC

With the patch, the ERR_clear_error() will only be called when the error occurs. In the normal situation, ERR_clear_error() will not be called, so the Err_get_state() will not be called and no lock contention in openssl 1.0.1 with the patch.

----- åå§é®ä»¶ -----åä»¶äººïŒBryan Call <***@apache.org>
æ¶ä»¶äººïŒ***@sina.cn
æéäººïŒusers <***@trafficserver.apache.org>
äž»é¢ïŒRe: Openssl 1.1.0f Support
æ¥æïŒ2017å¹Ž09æ21æ¥ 23ç¹37å

This only changes the order of the calls. There is still going to be lock contention inside OpenSSL 1.0.1.-BryanOn Sep 20, 2017, at 11:37 PM, ***@sina.cn wrote:The following traffic server patch can improve openssl 1.0.1 performance as openssl 1.1.0:

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 5c9709c..5d306a1 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1936,7 +1936,7 @@ SSLWriteBuffer(SSL *ssl, const void *buf, int64_t nbytes, int64_t &nwritten)
if (unlikely(nbytes == 0)) {
return SSL_ERROR_NONE;
}
- ERR_clear_error();
+
int ret = SSL_write(ssl, buf, (int)nbytes);
if (ret > 0) {
nwritten = ret;
@@ -1953,6 +1953,9 @@ SSLWriteBuffer(SSL *ssl, const void *buf, int64_t nbytes, int64_t &nwritten)
ERR_error_string_n(e, buf, sizeof(buf));
Debug("ssl.error.write", "SSL write returned %d, ssl_error=%d, ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
}
+
+ ERR_clear_error();
+
return ssl_error;
}

@@ -1964,7 +1967,7 @@ SSLReadBuffer(SSL *ssl, void *buf, int64_t nbytes, int64_t &nread)
if (unlikely(nbytes == 0)) {
return SSL_ERROR_NONE;
}
- ERR_clear_error();
+
int ret = SSL_read(ssl, buf, (int)nbytes);
if (ret > 0) {
nread = ret;
@@ -1978,13 +1981,14 @@ SSLReadBuffer(SSL *ssl, void *buf, int64_t nbytes, int64_t &nread)
Debug("ssl.error.read", "SSL read returned %d, ssl_error=%d, ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
}

+ ERR_clear_error();
+
return ssl_error;
}

ssl_error_t
SSLAccept(SSL *ssl)
{
- ERR_clear_error();
int ret = SSL_accept(ssl);
if (ret > 0) {
return SSL_ERROR_NONE;
@@ -1997,13 +2001,14 @@ SSLAccept(SSL *ssl)
Debug("ssl.error.accept", "SSL accept returned %d, ssl_error=%d, ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
}

+ ERR_clear_error();
+
return ssl_error;
}

ssl_error_t
SSLConnect(SSL *ssl)
{
- ERR_clear_error();
int ret = SSL_connect(ssl);
if (ret > 0) {
return SSL_ERROR_NONE;
@@ -2016,5 +2021,7 @@ SSLConnect(SSL *ssl)
Debug("ssl.error.connect", "SSL connect returned %d, ssl_error=%d, ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
}

+ ERR_clear_error();
+
return ssl_error;
} From: Bryan Call <***@apache.org>
Reply-To: "***@trafficserver.apache.org" <***@trafficserver.apache.org>
Date: Thursday, September 21, 2017 at 8:38 AM

docs.trafficserver.apache.org. Maybe you have some mismatch / issues>>> >> between>>> >> headers (when compiling ATS) and runtime?>>> >>>>> >> Cheers,>>> >>>>> >> â Leif

Leif Hedstrom

2017-09-26 14:51:02 UTC

Permalink

Post by i***@sina.cn
With the patch, the ERR_clear_error() will only be called when the error occurs. In the normal situation, ERR_clear_error() will not be called, so the Err_get_state() will not be called and no lock contention in openssl 1.0.1 with the patch.
----- 原始邮件 -----
主题：Re: Openssl 1.1.0f Support
日期：2017年09月21日 23点37分
This only changes the order of the calls. There is still going to be lock contention inside OpenSSL 1.0.1.
-Bryan

I think this makes a lot of sense (but I haven’t tested it). Did you make a PR for this on Github?

Cheers,

— leif

Sudheer Vinukonda

2017-09-26 15:05:12 UTC

Permalink

Just to add some more context related to this -

IIRC, the patch proposed below (to clear the error queue only when an error occurred) was actually how this fix was implemented when it was first added (sometime during 5.3?) However, I think it was still resulting in some unexplained handshake/connect failures (which turned out to be not exactly connect failures, but were being marked so, due to stale error queue). And that was when the fix was changed to clear the error queue *before* calling connect.

All of this being a few years and releases ago, may no longer be the case and assuming the reordering of the clear queue tests good with no handshake failures or other side affects, this fix sounds fine.

- Sudheer

I agree this needs to be tested

Post by Leif Hedstrom

I think this makes a lot of sense (but I haven’t tested it). Did you make a PR for this on Github?
Cheers,
— leif

Bryan Call

2017-09-26 15:52:26 UTC

Permalink

We should be able to test this by calling ERR_peek_error() or ERR_get_error() in a test build in production to see if they are picking up any errors that havenât been cleared.

-Bryan

Post by Sudheer Vinukonda
Just to add some more context related to this -
IIRC, the patch proposed below (to clear the error queue only when an error occurred) was actually how this fix was implemented when it was first added (sometime during 5.3?) However, I think it was still resulting in some unexplained handshake/connect failures (which turned out to be not exactly connect failures, but were being marked so, due to stale error queue). And that was when the fix was changed to clear the error queue *before* calling connect.
All of this being a few years and releases ago, may no longer be the case and assuming the reordering of the clear queue tests good with no handshake failures or other side affects, this fix sounds fine.
- Sudheer
I agree this needs to be tested

Post by i***@sina.cn
With the patch, the ERR_clear_error() will only be called when the error occurs. In the normal situation, ERR_clear_error() will not be called, so the Err_get_state() will not be called and no lock contention in openssl 1.0.1 with the patch.
----- åå§é®ä»¶ -----
äž»é¢ïŒRe: Openssl 1.1.0f Support
æ¥æïŒ2017å¹Ž09æ21æ¥ 23ç¹37å
This only changes the order of the calls. There is still going to be lock contention inside OpenSSL 1.0.1.
-Bryan

I think this makes a lot of sense (but I havenât tested it). Did you make a PR for this on Github?
Cheers,
â leif