[Mono-dev] SSL Channel implementation and SslServerStream

Mon Dec 17 16:29:43 EST 2007

Hello Pablo,

On Mon, 2007-12-17 at 21:44 +0100, pablosantosluac wrote:
> Hi Sebastien,
> 
> 
> > Converting the certificate between the minimal MS X509Certificate and
> > the Mono.Security X509Certificate is a very simple process. This could
> > be cached but this, alone, won't influence much performance.
> 
> Well, actually caching the line I mentioned (I've already tried with the 
> same sample I sent to the list last week, creating about 300 connections), 
> increases performance about 50%, but yes, when connections are started from 
> the same client.

This should not be, at least not when running under mono (which I assume
to be the case). Please send the diff you're using to get this 50%
increase.

> > The key exchange does an expensive RSA operation, but it cannot be
> > cached in ServerContext.
> 
> Yes, I've seen that too. I guess this is the other line I pointed.
> 
> > Now what *could* help is implementing a session cache in the
> > server[1][2]. However this helps only caching a session between the
> > server and a single client - you cannot share a session between multiple
> > clients.
> 
> Right, this is more or less what I said, isn't it? I mean, caching somehow 
> the initial RSA calculation done in the X509Certificate.

Less ;-) since the RSA calculation isn't done inside X509Certificate.

> > That being said the server code won't scale to support, efficiently, 350
> > sessions. If you need high performance SSL code don't look at a managed
> > implementation (and IMO consider hardware acceleration).
> 
> Well, that's an interesting answer. Do you mean it is better to implement a 
> high-perf server on C than Mono/C#? 

Well I guess that's debatable. I wouldn't trade C# for C unless you have
very high performance requirements.

> Or do you just talk about implementing a 
> whole SSL channel in C? 

Cryptography is very CPU intensive, to the point where most critical
functions are generally hand coded in assembly (at least in the top
performing tier).

Now you won't get anything near this performance in a fully managed
SSL/TLS implementation, like Mono provides. It doesn't mean that our
Mono cannot be better (compared to itself), it means it won't get better
(than some native alternatives). Still there are a lot of scenarios
where even a managed SSL server is very useful - high performance
servers is just not part of them ;-)

> If so, how? Could you point any samples? I'm not 
> familiar with SSL, which hw acceleration would do it better?

There's a whole world of option there (just goggle SSL hardware) and
they pretty much depend on what and how you're doing your stuff.

> 
> Thanks,
> 
> pablo 
> 