[erlang-questions] Erlang & TLS Termination

Fred Hebert mononcqc@REDACTED
Wed Sep 5 15:52:27 CEST 2018


During my time at Heroku, we managed to make the Erlang TLS implementation
(as a server) perform on par with Amazon's ELB stack -- it was something
like 1-2ms (out of like 13-15ms) slower on the median case, but several
seconds (if not minutes!) faster in the worst case, per connection, overall
much more stable. We needed to patch a few things, but since around OTP-20,
all of these have made it to upstream in OTP.

The type of configuration used is described in a gist at
https://gist.github.com/ferd/af9abf6b3600d2d7f08dba58fdfb514a -- the format
changed in OTP-21, but the most important parts are all there.

In short, it relies mostly on:
- good configuration of cache (mostly disabling a bunch of them when you
don't need disk cache)
- good configuration of preferred cipher suites and ECCs (picking more
complex ones than required slows things down -- i.e. picking a secp512 ECC
instead of secp256 one iirc almost doubled the handshake time compared to
AWS until we replicated their configurations)


On Wed, Sep 5, 2018 at 9:19 AM, Frank Muller <frank.muller.erl@REDACTED>
wrote:

> Hi guys
>
> Would like to hear from your experience(s) on using Erlang with TLS/SSL.
> The default Erlang stack doesn't perform well, Google says.
>
> Does anyone use Erlang in production behind:
>
> . Hitch: https://hitch-tls.org/
> . Envoy: https://www.envoyproxy.io/
> . HAProxy: http://www.haproxy.org/
> . ???
>
> Or directly using:
> . gen_ssl: how to make it scale?
> . fast_tls: https://github.com/processone/fast_tls
> . ???
>
> Some of the solutions above are fast, some scale well ... but all with
> downsides (ex. Hitch adds  200kiB overhead per connection).
>
> We’re planning to go live with a fairly large number of secure
> connections: 45k - 75k. The sessions should be short (few seconds).
> Transferred data should range between 50KiB to 1miB max.
>
> Insights and/or feedbacks are very welcome.
>
> /Frank
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180905/b6de177a/attachment.htm>


More information about the erlang-questions mailing list