[Mono-dev] SSL Channel implementation and SslServerStream

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon Dec 17 13:50:42 EST 2007 

Hello Pablo,

On Mon, 2007-12-17 at 17:21 +0100, pablosantosluac wrote:
> Hi again,
> 
> Well, looking into the ServerContext constructor: the code converts between 
> the System.Security cert to a Mono cert. Ok, this calculation could be 
> skipped if a server is launching threads with the same certificate. The 
> performance hit "caching" this one is about a 50% (launching 350 client 
> threads simultaneously).

Sorry but this is confusing. Let me clear this up a bit so the answer
will be meaningful when goggled in the future ;-)

Converting the certificate between the minimal MS X509Certificate and
the Mono.Security X509Certificate is a very simple process. This could
be cached but this, alone, won't influence much performance.

The key exchange does an expensive RSA operation, but it cannot be
cached in ServerContext.

Now what *could* help is implementing a session cache in the
server[1][2]. However this helps only caching a session between the
server and a single client - you cannot share a session between multiple
clients.

That being said the server code won't scale to support, efficiently, 350
sessions. If you need high performance SSL code don't look at a managed
implementation (and IMO consider hardware acceleration).

[1] the SslClientStream already support session caching
[2] contributions welcome

> 
> I'll try to locate the next bottleneck

All cryptographic operations, like key exchange, encryption, integrity,
will show as a "bottleneck" - but they are exactly what you (should)
seek by choosing SSL.

> 
> 
> pablo
> 
> 
> ----- Original Message ----- 
> From: "pablosantosluac" <pablosantosluac at terra.es>
> To: <mono-devel-list at lists.ximian.com>
> Sent: Monday, December 17, 2007 4:23 PM
> Subject: [Mono-dev] SSL Channel implementation and SslServerStream
> 
> 
> > Hi all,
> >
> > I'm implemented a secured TCP remoting channel. I took the current TCP
> > Channel as starting point, and used Ssl{Client|Server}Stream to implement
> > communication, as Robert Jordan suggested.
> >
> > Well, it seems it works correctly but I've found the following issue:
> > creating each new connection takes time (obviously), but it is basically 
> > due
> > to a call to "new ServerContext" inside the SslServerStream constructor.
> >
> > The problem, in fact, seems related with the property 
> > X509Certificate::RSA.
> > Each time a new connection is opened, a new certificate is given, and the
> > private key used.
> >
> > Is there a way to actually make all this initialization just once? It 
> > would
> > greatly improve performance both in Mono and .NET.
> >
> > Any idea?
> >
> > thanks
> >
> > pablo
> >
> > _______________________________________________
> > Mono-devel-list mailing list
> > Mono-devel-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-devel-list 
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list