ssl {reuse_sessions,false}

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl {reuse_sessions,false}

obi458
Hi,

we have 5000 clients(third party) connecting each 25 seconds to our
server over tls 1.2,

24h later the table server_ssl_opt_session_cache has about  18 million
objects and allocate 5GByte!

If we use {reuse_sessions,false} the table(server_ssl_opt_session_cache)
is not empty!

Any hints?

--
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl {reuse_sessions,false}

Ingela Andin
Hi!

{reuse_sessions,false} just makes the current connection not use the feature but the information is
saved for possible other connections to use it, as it is configured per connection and the ssl application can not know
if might need it later.

Since ssl-8.2.1 there should be a working limitation of the table, although it is a soft limit due to current implementation trade offs, and it will be shrieked gradually. At a very high load it might shrink to slow, the workaround would be to have a callback for the session table that does not save the information.

We been thinking about changing the implementation but TLS-1.3 has a new mechanism, and there is also other mechanisms for TLS 1.2 the we have not implemented so it just have not landed in best way forward yet.

Regards Ingela - Erlang/OTP Team - Ericsson AB






Den fre 23 aug. 2019 kl 14:18 skrev Oliver Bollmann <[hidden email]>:
Hi,

we have 5000 clients(third party) connecting each 25 seconds to our
server over tls 1.2,

24h later the table server_ssl_opt_session_cache has about  18 million
objects and allocate 5GByte!

If we use {reuse_sessions,false} the table(server_ssl_opt_session_cache)
is not empty!

Any hints?

--
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl {reuse_sessions,false}

obi458
-ssl session_lifetime 120; each 2 minutes

will delete sessions from server_ssl_opt_session_cache

Right?

Oliver
On 23.08.19 14:52, Ingela Andin wrote:
Hi!

{reuse_sessions,false} just makes the current connection not use the feature but the information is
saved for possible other connections to use it, as it is configured per connection and the ssl application can not know
if might need it later.

Since ssl-8.2.1 there should be a working limitation of the table, although it is a soft limit due to current implementation trade offs, and it will be shrieked gradually. At a very high load it might shrink to slow, the workaround would be to have a callback for the session table that does not save the information.

We been thinking about changing the implementation but TLS-1.3 has a new mechanism, and there is also other mechanisms for TLS 1.2 the we have not implemented so it just have not landed in best way forward yet.

Regards Ingela - Erlang/OTP Team - Ericsson AB






Den fre 23 aug. 2019 kl 14:18 skrev Oliver Bollmann <[hidden email]>:
Hi,

we have 5000 clients(third party) connecting each 25 seconds to our
server over tls 1.2,

24h later the table server_ssl_opt_session_cache has about  18 million
objects and allocate 5GByte!

If we use {reuse_sessions,false} the table(server_ssl_opt_session_cache)
is not empty!

Any hints?

--
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
-- 
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl {reuse_sessions,false}

Ingela Andin
Yes it will, there is also:

session_cache_client_max = integer() <optional>

Limits the growth of the clients session cache, that is how many sessions towards servers that are cached to be used by new client connections. If the maximum number of sessions is reached, the current cache entries will be invalidated regardless of their remaining lifetime. Defaults to 1000. Recommended ssl-8.2.1 or later for this option to work as intended.

session_cache_server_max = integer() <optional>

Limits the growth of the servers session cache, that is how many client sessions are cached by the server. If the maximum number of sessions is reached, the current cache entries will be invalidated regardless of their remaining lifetime. Defaults to 1000. Recommended ssl-8.2.1 or later for this option to work as intended.


Regards Ingela

Den fre 23 aug. 2019 kl 15:31 skrev Oliver Bollmann <[hidden email]>:
-ssl session_lifetime 120; each 2 minutes

will delete sessions from server_ssl_opt_session_cache

Right?

Oliver
On 23.08.19 14:52, Ingela Andin wrote:
Hi!

{reuse_sessions,false} just makes the current connection not use the feature but the information is
saved for possible other connections to use it, as it is configured per connection and the ssl application can not know
if might need it later.

Since ssl-8.2.1 there should be a working limitation of the table, although it is a soft limit due to current implementation trade offs, and it will be shrieked gradually. At a very high load it might shrink to slow, the workaround would be to have a callback for the session table that does not save the information.

We been thinking about changing the implementation but TLS-1.3 has a new mechanism, and there is also other mechanisms for TLS 1.2 the we have not implemented so it just have not landed in best way forward yet.

Regards Ingela - Erlang/OTP Team - Ericsson AB






Den fre 23 aug. 2019 kl 14:18 skrev Oliver Bollmann <[hidden email]>:
Hi,

we have 5000 clients(third party) connecting each 25 seconds to our
server over tls 1.2,

24h later the table server_ssl_opt_session_cache has about  18 million
objects and allocate 5GByte!

If we use {reuse_sessions,false} the table(server_ssl_opt_session_cache)
is not empty!

Any hints?

--
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
-- 
Grüße
Oliver Bollmann
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions