TLS, threads, and workers

Ben Laurie ben at algroup.co.uk
Fri Sep 5 17:27:09 UTC 2003 

Roger Dingledine wrote:
>>The reason that TLS links might argue for a multithreaded design is
>>that, with all the TLS implementations I know of, I don't know any good
>>way to separate the SSL handshake crypto operations from the SSL
>>handshake IO operations.  Thus, if we want to put the RSA operations in
>>a separate execution context (i.e., process or thread) in order to avoid
>>high-latency operations, we'll need to put the socket operations there
>>too.
> 
> 
> I don't know about this either way. Ben, your statemachine ssl demo seems
> to be able to yield the encrypted bytes, and then I can put them on the
> network myself. Is that correct? In other words, is there a way for me
> to treat the SSL object as an encryptor/decryptor, and keep it separate
> from the fd?

Yes.

> (But even if this is possible, we'd have to have some way to squeeze
> an SSL object through a pipe and then back again along with the
> answer. Yuck.)

Well, you can choose your source of yuckiness.

>> But you can't pass sockets back and forth across processes; hence
>>threads seem smart.
>>
>>Another option is to go heavily multiprocess: stick _all_ link
>>encryption operations in separate processes from the main onion routing
>>process.  The link encryption processes could send unencrypted cells
>>back and forth from the main OR process.  This could scale poorly, by
>>requiring many processes.
> 
> 
> Yep. My current thoughts are that we should hope to get an onion
> routing network of 200-300 routers. After that we will need to solve the
> restricted topology problem, because we can't expect to stay a clique
> past that. So with the current code I'm looking to handle maybe 500
> connections. Separate processes for each would just be nuts.

500 processes ain't so bad, plenty of websites run that many Apaches.

>>Another option is to accept hiccups while handshakes are going on.  If
>>we later impose some kind of proof of work requirement before beginning
>>the handshake, this might not be so bad.  On the box that the ORs are
>>currently running on, 1024 bit RSA decrypt takes 6 ms, 1536 bit RSA
>>decrypt takes 19 ms, and 2048 bit RSA decrypt takes 36 ms.
> 
> 
> This is a fine mid-term solution (after all, we accept the hiccups right
> now). There's no rush to add threading.
> 
> We should also recognize that we're already partway down this path: we
> are already multiprocess, and we have infrastructure (albeit socketpairs,
> not memory queues) for communicating to/from the workers. On Win32 we
> already use threads (Win32 doesn't support multiprocess well at all),
> though again these are Windows threads rather than pthreads. But overall
> I think this may be a smaller bullet to bite than it sounds.
> 
> 
>>Another option is to try to hack up OpenSSL to separate the crypto parts
>>from the IO parts.  I don't have a lot of confidence here--OpenSSL
>>internals can get complicated, and I don't see any hooks that do what we
>>want.
> 
> 
> Assuming it's not already done (Ben?), if we do this we will want to
> do it such that we can wrap the changes back into the official OpenSSL
> tree. Otherwise OpenSSL will change out from under us and we'll be
> constantly fighting to keep synced. We would need another developer for
> this (and if we get another developer, we have better things to work on).

See my previous response. Its already done.

>>While I don't question Ben's experience, I must add another data point
>>--- Mixminion uses a lightly multithreaded design, and seems to run fine
>>on FreeBSD.
> 
> 
> Mixminion uses python2's thread layer. Does it use the native pthreads
> directly on FreeBSD?
> 
> 
>>"Non-threadsafe libraries" -- OpenSSL (which we're using now) can
>>supposedly be compiled in a thread-safe mode.
> 
> 
> Wait, what do you mean 'can be compiled'? :) Remember that we're using
> OpenSSL because everybody already has it.

Its always threadsafe, you just have to add locking callbacks.

>>So as you can probably tell, I currently regard threading as the least
>>unworkable solution.  But if there's an even less unworkable solution,
>>I'd rather do that instead.
> 
> Robust software engineering is hard.

Robust threaded software engineering is harder.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the tor-dev mailing list