nahi
Q: Does httpclient support SSL session re-use?
Sorry, I don't know quite the right words to describe this.
But, even without a persistent connection, it looks to me that great increase in performance can be had by re-use of SSL session information -- what is controlled server side by SSLSessionCacheTimeout in Apache -- this is different than re-using a persistent HTTP connection. It's re-using SSL keys accross HTTP connections.
I connect to some servers that don't support persistent HTTP connections, but do support SSL session token reuse, and when the client can take advantage of this, it does seem to significantly impact performance.
Can HTTPClient? If not, should it?
Here's a patch once I tried: https://github.com/nahi/httpclient/commit/7fc04933961ea3ea5a2aa595172ca7cd29a718f5 There's an compatibility issue I guess but I don't remember the detail...
Do you have your patch? If not, can you try the ssl_session_reuse branch?
Thank you!
I do not have a patch myself, this kind of programming is probably beyond me. I just believe that in my current use case I can increase performance a lot with ssl session reuse. It looks like in my use case ssl session resuse without persistent http connection can be almost as good as persistent http connection, but a lot less taxing on the server.
I am a bit reluctant to put into production a patch that isn't part of stable maintained httpclient release, and that is intentionally not part of it because you think there was a compatibility issue but cant' remember what it was!
Should I be scared to use this patch? If it looks like it works initially, might it still stop working in other situations?
If not, and you think it can be relied upon, would you consider making it part of standard HTTPClient release? Perhaps as an optional opt-in feature?
Basically, if you are not confident enough in it to make it part of the release, I'm not confident enough in it to use as a custom patch, since you know a lot more about it than me!
According to http://globaldev.co.uk/2013/03/ruby-2-0-0-in-detail/, in ruby 2.0.0 stdlib Net::HTTP "SSL sessions are also now reused, cutting down on time spent negotiating connections."
If that's true... it's hard for HTTPClient without this feature, makes me want to move to a Net::HTTP solution that has this feature, even though otherwise I like HTTPClient better. But it's hard to give this up if it's available. Previous few if any other ruby http libraries that were otherwise decent did this.
I still don't understand the details of how ruby 2.0.0 stdlib Net::HTTP does it, with regard to threading and such.
@nahi If you remember the compatibility issue you encountered, I could possibly take a wack at this.
@jrochkind Net::HTTP does not handle connection pooling. It only resumes SSL sessions when reusing the same connection object. Handling connection pooling yourself will not result in sharing SSL sessions across connections. Also, there is currently no way to extract or set ssl sessions to/from Net::HTTP connections and implement this sharing yourself with a mutex.
first of all, make sure the server you are requesting support session-reuse. you can test with "openssl s_client -reconnect -state -prexit -connect 127.0.0.1:9999". "Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA" means the server support session-reuse. second, make sure using the same SSLContext while create HttpClient Instance. refer to http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLContext
I've ended up in writing a custom connection pool for Net::Http which handles ssl session by setting and reading the @session instance variable from Net::Http every time a connection is checked in and out of the pool. It's a hacky solution, but works.