launchpad-dev team mailing list archive

Thread
Date

Re: SSL sessions: start-up latency and renegotiations

To: Clint Byrum <clint.byrum@xxxxxxxxxxxxx>
From: Robert Collins <robert.collins@xxxxxxxxxxxxx>
Date: Wed, 18 Aug 2010 09:10:32 +1200
Cc: Elliot Murphy <elliot@xxxxxxxxxxxxx>, Launchpad Development <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <4AB3866E-941E-49F9-B4F7-BBF89EC00B65@canonical.com>
Sender: robertc@xxxxxxxxxxxxxxxxx

So, we have a few options and one obvious thing to do.

Obvious: increase the session lifetime in Apaches SSL engine.
 - will increase memory usage on the Apache FE's : unlikely to be an issue.
 I'll RT this now.

Move to a single IP single active server Apache FE.
 + immediate performance win
 + simple to understand
 - more load on that one machine

Move to an LVS (or similar) single IP multiple servers Apache FE with
shared SSL session cache
 + immediate performance win
 - more complexity

Test out whether a shared SSL session cache with multiple ips helps
 + small incremental change
 - unknown whether it will help, and how much it will help (may reduce
not eliminate round trips)

We have a few big changes going on at the moment, and I'm concerned an
LVS or similar deployment project will steal resources from getting
those changes executed; so at the moment, my personal preference would
be to go to a single active server, with failover in the event of
failure/upgrades.

-Rob

References

SSL sessions: start-up latency and renegotiations
From: Gavin Panella, 2010-08-13
Re: SSL sessions: start-up latency and renegotiations
From: Michael Hudson, 2010-08-16
Re: SSL sessions: start-up latency and renegotiations
From: Elliot Murphy, 2010-08-17
Re: SSL sessions: start-up latency and renegotiations
From: Clint Byrum, 2010-08-17