[erlang-questions] Erlang & TLS Termination

Ingela Andin ingela.andin@REDACTED
Fri Sep 7 23:12:20 CEST 2018


There are always lots of trade offs between security and efficiency. And we
can never make all of them for you.
Basic TLS Session handling I think is kind of flawed by design, we have
tried to mitigate it. It seems for really powerful machines it is not
enough and session table can be filled quicker than cleaned. We where
thinking session tickets could be the solution and a workaround was to have
a own session table callback as Fred suggested not saving any sessions. But
TLS 1.3 deprecates both these ways and introduces a new way so TLS-1.2
session tickets are not so tempting any more. If people think they have no
or a low benefit from the TLS-session tables maybe we could change it
somehow.

Regards Ingela Erlang(OTP team - Ericsson AB

Den ons 5 sep. 20able18 kl 17:17 skrev Dave Cottlehuber <dch@REDACTED>:

> On Wed, 5 Sep 2018, at 15:19, Frank Muller wrote:
> > Hi guys
> >
> > Would like to hear from your experience(s) on using Erlang with TLS/SSL.
> > The default Erlang stack doesn't perform well, Google says.
> >
> > Does anyone use Erlang in production behind:
> >
> > . Hitch: https://hitch-tls.org/
> > . Envoy: https://www.envoyproxy.io/
> > . HAProxy: http://www.haproxy.org/
> > . ???
>
> I’ve used haproxy to great effect handling all those messy acme/let’s
> encrypt renewals and load balancing connections across multiple servers for
> plain https, rabbitmq and socketio traffic. Roughly 50-80k https txns  in
> and out per hour. The major win was matching up ibrowse connection settings
> with http1.1 pipelined connections to a 3rd party API. I think ferd’s
> tuning is a very similar outcome.
>
> the most important things in hindsight were
>
> - getting pipelining working to reuse TLS connections
> - observabilty
> - good logging
> - predictable failure modes
>
> I moved all services including DB and message brokers behind haproxy for
> these reasons.
>
> You should look very carefully at service discovery, and http2 support, in
> all of the situations you intend to proxy, not all of these projects have
> the same level of support.
>
> Developing your own heroku style LB would be interest g for a bigger
> organisation I think I needed something I could forget about.
>
> A+
> Dave
>
>
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180907/670648e9/attachment.htm>


More information about the erlang-questions mailing list