[Info-vax] New OpenSSL update from HP

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Sun Jun 14 19:32:42 EDT 2015 

On 2015-06-14 22:43:29 +0000, Jan-Erik Soderholm said:

> One of the reasons CSWS performes less good on VMS is becuse of the 
> high use of forked subprocesses. *That* is inefficient on VMS.

There is a pool of worker processes yes, but that'll exist in any web 
server configuration short of running it all in one process with 
threading.

Yes, process creation was glacial in years past and best avoided, but 
the servers have also gotten much faster.  While CPU is still a factor 
for some cases, there can be other issues beyond the process creation.  
 There's that OpenVMS network I/O tends to be slower than Unix in 
various tests, that the file I/O also tends to be slower in various 
tests, that the interprocess communications have been slow, etc.  There 
are many potential contributing factors to slowness in any complex 
design.

It may well be the process creation for the worker processes is the 
limiting factor, but I'd want to see some data before drilling in on 
that...

Another factor here is whether the users will accept the new user 
interface and the new environment, or if you end up maintaining 
multiple different environments for any of various reasons.  I'm more 
than willing to change UIs, but I'd rather get a net benefit out of 
that effort on engineering and on the end-users, and would also 
obviously prefer to avoid maintaining two or more parallel environments.

> Now, I do not think than SSL has much of that.

Beyond my own activities, I've encountered no process creations in any 
of my uses of SSL.  There may well be some (somewhere), but it's not 
something I've encountered.  (It'd be feasible to grep the source code 
for fork or system calls, but then I don't have a copy of OpenSSL 
handy.)

> A Specification for what? SSL/TSL? This page has a lot of RFC references:
> https://en.wikipedia.org/wiki/Transport_Layer_Security
> 
> The latest TLS 1.2: https://tools.ietf.org/html/rfc5246

That's just one part, of course.  RFC 6176, too.  There are other RFCs 
involved.   SSL is a negotiation framework, with the key exchange, with 
the various ciphers, certificate processing and validation, random 
number generation — there are more than a few folks that will state 
that cryptographic random number generation is untenable in user space, 
but I digress — and the associated negotiation mechanisms.  There are a 
number of RFCs just for the TLS host name validation, too; per one 
report, that list includes 2459, 2595, 2818, 2830, 3207, 3490, 3546, 
3920, 4513, 4642, 4954, 5425, 5539, 5922, 5953, and 6125.  (This is 
part of why I'm skeptical around VSI rolling their own crypto at least 
initially — sure, it's possible, but it's no small investment.)


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list