Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

SSL/TLS fixes and optimizations

A big commit (r65259) was done earlier this week on the SSL/TLS code base. It's main purpose was to enable re-negotiation of the security parameters during an existing session. This is now working nicely using Apache* but, sadly, this didn't fix the bug experienced by Npgsql.

That took a while to fix properly and a lot of debugging sessions, dealing with encrypted data is always full of surprises. I took the time, literally using mono --profile, when testing each change and, gradually, reduced the memory requirements by eliminating the convertion between byte[] and MemoryStream and also the creation of unrequired CryptoStream (and key setup) when using a block cipher (e.g. AES). The original requirements to download a 680Mb file were more than 4Gb of allocations while the current version requires only (still too much) 1.6Gb (37%).

The memory reduction should also benefit performance times, unless, like most of my tests, time becomes network-bound. This happens to me when using wireless (11g) with my laptop (even if it's CPU is rather slow at 1.6ghz) where both wget and mget takes about 4m30s (total time) to download the same 680Mb file (of course user and system time are better for wget ;-)

Testing is now complete, on my side, but it would be nice, and much safer if your applications depend on SSL (e.g. HTTPS), to test this code before it gets released in 1.1.18. A ZIP file with both 1.0 and 2.0 versions of Mono.Security.dll is available here.

* You can try this with Apache by requiring different, and incompatible, SSL ciphers for the root directory and a sub-directory.


9/13/2006 11:42:31 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.