Persistent HTTP(S) connections in opkg

Baptiste Jonglez baptiste at bitsofnetworks.org
Fri Jan 1 09:29:37 EST 2021


Hi,

On 31-12-20, Hauke Mehrtens wrote:
> > I looked into performance problems of LuCI when using https some time ago.
> > 
> > The slow part was the handshake, the normal stream cipher is relatively
> > fast, even very slow devices should be able to do multiple MB/s.
> > 
> > On the server side the ECC handshake was much faster, I think I measured
> > values like 1 second (RSA) vs. 0.3 seconds (ECC) for the handshake on a
> > Lantiq MIPS 24Kec CPU with mbedtls, the RSA handshake was much faster
> > (0.5 seconds) with openssl.
> > 
> > We should activate support for ECC certificates on
> > https://downloads.openwrt.org, I think it is possible to use both RSA
> > and ECC on the server and then decide based on what the client supports
> > and wants. In OpenWrt we could use then ECC to authenticate the server.
> > The crypto parts should already be there as we need ECDH for SAE in
> > hostapd.
> > 
> > We could use TLS Session Resumption, the SSL libraries should support
> > it, this way we can easily reuse the same session for the next download.
> > Browsers do this to only do one SSL handshake and then have multiple TCP
> > connections to the server to download the material in parallel.
> > 
> > Hauke
> 
> The changes I did are here:
> https://git.openwrt.org/f2c8f6dc3249b506b915741d12905402dfffe162
> https://git.openwrt.org/e8a1469
> 
> These are only for mbedtls and not for openssl/wolfssl it could be that this
> causes some problems. I would also assume that openssl is much faster than
> wolfssl, so we do not see these problems so much with openssl.

Thanks for the hints and the links.

I assume that the TLS session cache is only kept in memory?  This makes
sense for a server process, but it is less useful on the client side.
Especially because currently opkg forks to call uclient-fetch individually
for each package download.  It would be useful when downloading several
files with one uclient-fetch invocation, but this feature is broken.

In any case, you're right: it's a good idea to benchmark before trying to
optimize something.  Once I fixed my test devices, I will run performance
tests with client-side TLS.

Thanks,
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210101/1e5fd093/attachment.sig>


More information about the openwrt-devel mailing list