<div dir="ltr"><div>Hi!</div><div><br></div><div>How do you provide your certificates to ssl? If you provide your CA-certs as binary DER blobs to the connection they</div><div>will be stored by the connection and be local to the connection. If you provide them through a file they will be stored</div><div>in a ETS table and maybe referenced by other connections as there is a way to refer to them. <br></div><div><br></div><div>Regards Ingela Erlang/OTP Team <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den mån 10 juni 2019 kl 05:10 skrev Jamie McClymont <<a href="mailto:jamie%2Berlang-questions@kwiius.com">jamie+erlang-questions@kwiius.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all<br>
<br>
I'm building an app which needs to be able to make a good number of concurrent HTTPS requests (ideally I could keep high-hundreds/low-thousands of idle keepalive connections open at a time with modest memory usage).<br>
<br>
Poking around (by making concurrent requests to 50 domains), I find that holding HTTP connections is effectively free memory-wise, while holding HTTPS connections costs around 2.5MB per connection! All this memory usage is in the tls_connection:init/1 processes, according to observer.<br>
<br>
Looking at the state of these processes, they each hold a lot of information: the extracted/decoded certificate files for all the CA certs on my system (of which there are 134!). From some cursory googling about erlang's memory model, it seems that because this data is not a binary blob but a big tree of terms, it's going to be copied to every tls_connection process.<br>
<br>
Any pointers on if there is an existing way to mitigate this (while keeping a full set of root certs available)? Otherwise, it seems to me the reasonable solution would be to keep the CA store in a central process (ETS?) and query that for the specific root cert that the server says it is signed by. If I'll be implementing it, could someone sanity-check this approach:<br>
* provide an empty list of CAs to the ssl module<br>
* provide a verify_fun which matches on {bad_cert, unknown_ca} and then gets the correct CA and performs all the remaining necessary checks (whatever those are...) before returning {valid, UserState} (or {valid_peer, UserState}?)<br>
<br>
<br>
Thanks<br>
- Jamie<br>
<br>
P.s. sorry if this email is a duplicate: I think my last one was silently dropped since I sent it from a different address to the one I subscribed with, but not certain.<br>
<br>
Appendix - one of the 134 decoded certs stored by every process:<br>
<br>
{decoded,<br>
{{#Ref<0.577909663.1295777797.255240>,<br>
106100277556486529736699587978573607008,<br>
{rdnSequence,<br>
[[{'AttributeTypeAndValue',{2,5,4,6},"CN"}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,10},<br>
{utf8String,<<"UniTrust">>}}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,3},<br>
{utf8String,<br>
<<"UCA Extend"...(28 B)>>}}]]}},<br>
{<<48,130,5,90,48,130,3,66,160,3...(1 kB)>>,<br>
{'OTPCertificate',<br>
{'OTPTBSCertificate',v3,106100277556486529736699587978573607008,<br>
{'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},<br>
{rdnSequence,<br>
[[{'AttributeTypeAndValue',{2,5,4,6},"CN"}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,10},<br>
{utf8String,<<"UniTrust">>}}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,3},<br>
{utf8String,<br>
<<"UCA Extend"...(28 B)>>}}]]},<br>
{'Validity',{utcTime,"150313000000Z"},{utcTime,"381231000000Z"}},<br>
{rdnSequence,<br>
[[{'AttributeTypeAndValue',{2,5,4,6},"CN"}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,10},<br>
{utf8String,<<"UniTrust">>}}],<br>
[{'AttributeTypeAndValue',<br>
{2,5,4,3},<br>
{utf8String,<br>
<<"UCA Extend"...(28 B)>>}}]]},<br>
{'OTPSubjectPublicKeyInfo',<br>
{'PublicKeyAlgorithm',{1,2,840,113549,1,1,1},'NULL'},<br>
{'RSAPublicKey',<br>
689603717979852636831081426524261160465705539154429034072886964586226830541206711367761253770112725458465044497361739659482435934368052465546153546798794021727234724250491430601994902725573258440903769572247434719710136763019389835974660379560646189661431052777862620577580627735499519427983731365873646101116220703443112119094192330629089538925644308340292126955780669276375525797477380635249258541277353787220035677250408659616695990328739419944306797836041926101961617154636604738870383637100044978431121318943912528365357866046388476749437076957867974020718613998841641003305315809368105957269212277478816744375233680463674812053558530520195020911324127390436183137612053158831455696931169855471108960460199610930021503675868841756093916690737925568854144895439113023618139270733541586805299082563244530623575372402602522085830629158312024768857183218701826386841425816972120556588392270337545276474712543306659887836405319075385033422367187135702233624763183702955559196400<br>
695312060899684142798408078723091214153237781607055313585627048184929762700635100359534649156945631489915475941635189136663455081054904713071171644045263631869342706234148072080520374089220391876551645591673277270360119934713372188503089344323356273673087,<br>
65537}},<br>
asn1_NOVALUE,asn1_NOVALUE,<br>
[{'Extension',<br>
{2,5,29,14},<br>
false,<br>
<<217,116,58,228,48,61,13,247,18,220...(20 B)>>},<br>
{'Extension',<br>
{2,5,29,19},<br>
true,<br>
{'BasicConstraints',true,asn1_NOVALUE}},<br>
{'Extension',<br>
{2,5,29,15},<br>
true,<br>
[digitalSignature,keyCertSign,cRLSign]}]},<br>
{'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},<br>
<<54,141,151,204,66,21,100,41,55,155...(512 B)>>}}}},<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div></div>