Note: If you have it as dup, sorry, without knowing it, I trashed my subscription to the list yesterday and this may be the reason. ---- Hello Alex and all, I must admit I haven't tested the code yet, but, I have spent quite some time reading it. The one thing I found which is not supported, but is really needed, is session resuming. When the ssl machinery is loaded, we do not provide a storage engine for the sessions. In IOBuf_create, we need to add something like: ssl_set_scb(&buf->ssl, my_get_session, my_set_session); Before ssl_set_session. Then we could define something like here: http://polarssl.org/trac/browser/trunk/programs/ssl/ssl_server.c#L106 I do not know if the order in setting the callbacks is important, if not really, the session callbacks could be set in Connection_create. This also mean that we need to define a correct timeout for the sessions or a fixed length storage. In fact if we really want to have a top implementation it should be possible to ask an handler for a session data or something like that to nicely support round robin load balancing with session reuse. I am really impressed by the clarity of the PolarSSL code. I am not at all a C coder, I know next to nothing about SSL stuff, but still, I was able to follow the code and with a session flow diagram understand what is going on. A really good catch for Mongrel2. loïc
Sorry for my much-delayed response -- in the past week I've moved across the country and started work. My idea for session storage is to have a really simple session storage cache written right into Mongrel2 that just uses the LRU cache gear we've already got. The simple configuration is just setting the number of stored sessions. The second part is session sharing across different Mongrel2 instances. For this, I think the "Mongrel2 way" is to use zeromq/tnetstrings to connect to a session storage service, which itself can interact with memcached, redis, sql, pen and paper, etc. What do you all think? Alex On Tue, Jun 28, 2011 at 2:34 AM, Loic d'Anterroches <loic@ceondo.com> wrote: > Note: If you have it as dup, sorry, without knowing it, I trashed my > subscription to the list yesterday and this may be the reason. > ---- > > Hello Alex and all, > > I must admit I haven't tested the code yet, but, I have spent quite some > time reading it. The one thing I found which is not supported, but is > really needed, is session resuming. When the ssl machinery is loaded, we > do not provide a storage engine for the sessions. > > In IOBuf_create, we need to add something like: > > ssl_set_scb(&buf->ssl, my_get_session, my_set_session); > > Before ssl_set_session. Then we could define something like here: > > http://polarssl.org/trac/browser/trunk/programs/ssl/ssl_server.c#L106 > > I do not know if the order in setting the callbacks is important, if not > really, the session callbacks could be set in Connection_create. > > This also mean that we need to define a correct timeout for the sessions > or a fixed length storage. In fact if we really want to have a top > implementation it should be possible to ask an handler for a session > data or something like that to nicely support round robin load balancing > with session reuse. > > I am really impressed by the clarity of the PolarSSL code. I am not at > all a C coder, I know next to nothing about SSL stuff, but still, I was > able to follow the code and with a session flow diagram understand what > is going on. A really good catch for Mongrel2. > > loïc > > >
Hello, On 2011-07-06 15:55, Alex Gartrell wrote: > Sorry for my much-delayed response -- in the past week I've moved across > the country and started work. A good start is way more important than SSL in Mongrel2. Nothing to be sorry about. > My idea for session storage is to have a really simple session storage > cache written right into Mongrel2 that just uses the LRU cache gear > we've already got. The simple configuration is just setting the number > of stored sessions. This would be great, we may not even need a timeout. > The second part is session sharing across different Mongrel2 instances. > For this, I think the "Mongrel2 way" is to use zeromq/tnetstrings to > connect to a session storage service, which itself can interact with > memcached, redis, sql, pen and paper, etc. I really like the pen and paper approach but maybe we can do that a bit later. In 99% of the cases people will have a single Mongrel2 instance anyway. Some interesting stuff to read: http://my.opera.com/yngve/blog/2011/06/23/popular-but-sluggish-secure-server-popularity-might-not-be-the-reason http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html loïc > On Tue, Jun 28, 2011 at 2:34 AM, Loic d'Anterroches <loic@ceondo.com > <mailto:loic@ceondo.com>> wrote: > > Note: If you have it as dup, sorry, without knowing it, I trashed my > subscription to the list yesterday and this may be the reason. > ---- > > Hello Alex and all, > > I must admit I haven't tested the code yet, but, I have spent quite some > time reading it. The one thing I found which is not supported, but is > really needed, is session resuming. When the ssl machinery is loaded, we > do not provide a storage engine for the sessions. > > In IOBuf_create, we need to add something like: > > ssl_set_scb(&buf->ssl, my_get_session, my_set_session); > > Before ssl_set_session. Then we could define something like here: > > http://polarssl.org/trac/browser/trunk/programs/ssl/ssl_server.c#L106 > > I do not know if the order in setting the callbacks is important, if not > really, the session callbacks could be set in Connection_create. > > This also mean that we need to define a correct timeout for the sessions > or a fixed length storage. In fact if we really want to have a top > implementation it should be possible to ask an handler for a session > data or something like that to nicely support round robin load balancing > with session reuse. > > I am really impressed by the clarity of the PolarSSL code. I am not at > all a C coder, I know next to nothing about SSL stuff, but still, I was > able to follow the code and with a session flow diagram understand what > is going on. A really good catch for Mongrel2. > > loïc > > > -- Dr Loïc d'Anterroches Founder Céondo Ltd w: www.ceondo.com | e: loic@ceondo.com t: +44 (0)207 183 0016 | f: +44 (0)207 183 0124 Céondo Ltd Dalton House 60 Windsor Avenue London SW19 2RR / United Kingdom