[erlang-questions] ssl session cache

Danil Zagoskin z@REDACTED
Wed Jan 13 14:41:49 CET 2016


Hi Pawel!

In 18.2 you should have session cache size limited by 1000 by default — see
https://github.com/erlang/otp/commit/42b8a29dbae1d626f32bc16dd81a129caf741138

Actually I have hit the trouble of many concurrent invalidators on 17.1,
but the number of sessions was about 350000.
Also 18.2 has performance improvements, so you have to keep even more
sessions to die of invalidators.

Try the following:
  - Check if tables 'server_ssl_otp_session_cache' and
'client_ssl_otp_session_cache' owned by ssl_manager in 'ets:i()' output
have more entries than configured limit.
  - If limiting works well, set the limit to e.g. 50000. This should be
sufficient for invalidator to finish its work in 60 seconds.
  - Maybe you have other problem. Check ssl_manager's message_queue. It may
be full of invalidation messages from closing sockets (in my tests closing
400000 sockets simultaneusly blocks the manager for several minutes). You
can distinguish this from invalidator's effects by setting large lifetime
to prevent invalidator from running.

On Tue, Jan 12, 2016 at 6:04 PM, Pawel Kraszewski <pawel@REDACTED>
wrote:

> Hello!
>
> I'm struggling with SSL session cache. I've already upgraded to 18.2.1
> (fixed some of my problems), yet one thing bothers me:
>
> lib/ssl-7.2/src/ssl_manager.erl line 242/243
>
> SessionLifeTime = proplists:get_value(session_lifetime, Opts,
> ?'24H_in_sec'),
>
> Its OK.
>
> Line 251/252
>
> Timer = erlang:send_after(SessionLifeTime * 1000 + 5000, self(),
> validate_sessions),
>
> It's OK. Gives initial addidtional 5s backoff.
>
> And than suddenly line 383/384
>
> Timer = erlang:send_after(?SESSION_VALIDATION_INTERVAL, self(),
> validate_sessions),
>
> From this time on SessionLifeTime "reload" is ignored and forced to 60s.
>
> I have potentially thousands of short-span SSL connections (simple
> JSON queries via SSL) and session cache grows quickly - even with
> session lifetime set to 10s.
>
> What gives?
> --
>  Paweł Kraszewski
>  http://www.kraszewscy.net
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>



-- 
Danil Zagoskin | z@REDACTED
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160113/3113e24d/attachment.htm>


More information about the erlang-questions mailing list