提高 SSL 握手性能 [英] Increasing SSL handshaking performance
问题描述
我有一个短暂的客户端进程,它通过 SSL 与服务器通信.该过程被频繁调用并且只运行很短的时间(通常小于 1 秒).此过程旨在用作用于执行更大任务的 shell 脚本的一部分,并且可能会被频繁调用.
I've got a short-lived client process that talks to a server over SSL. The process is invoked frequently and only runs for a short time (typically for less than 1 second). This process is intended to be used as part of a shell script used to perform larger tasks and may be invoked pretty frequently.
它每次启动时执行的 SSL 握手在我的测试中显示为一个重要的性能瓶颈,如果可能,我想减少这种情况.
The SSL handshaking it performs each time it starts up is showing up as a significant performance bottleneck in my tests and I'd like to reduce this if possible.
想到的一件事是获取会话 ID 并将其存储在某个地方(有点像 cookie),然后在下一次调用时重新使用它,但是这让我感到不安,因为我认为会有这样做的一些安全问题.
One thing that comes to mind is taking the session id and storing it somewhere (kind of like a cookie), and then re-using this on the next invocation, however this is making me feel uneasy as I think there would be some security concerns around doing this.
所以,我有几个问题,
- 这是个坏主意吗?
- 这甚至可以使用 OpenSSL 实现吗?
- 有没有更好的方法来加速 SSL 握手过程?
推荐答案
握手后,您可以通过 SSL_get_session() 从您的连接中获取 SSL 会话信息.然后您可以使用 i2d_SSL_SESSION() 将其序列化为可以写入磁盘的形式.
After the handshake, you can get the SSL session information from your connection with SSL_get_session(). You can then use i2d_SSL_SESSION() to serialise it into a form that can be written to disk.
下次要连接到同一服务器时,可以从磁盘加载会话信息,然后使用 d2i_SSL_SESSION() 将其反序列化并使用 SSL_set_session()设置它(在 SSL_connect() 之前).
When you next want to connect to the same server, you can load the session information from disk, then unserialise it with d2i_SSL_SESSION() and use SSL_set_session() to set it (prior to SSL_connect()).
磁盘上的 SSL 会话应该只能由运行该工具的用户读取,并且陈旧的会话应该经常被覆盖和删除.
The on-disk SSL session should be readable only by the user that the tool runs as, and stale sessions should be overwritten and removed frequently.
这篇关于提高 SSL 握手性能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
