I'm seeing not-great TLS performance; enabling the ClientSessionCache seems to help.
But it looks like even when resuming a session, we still call processCertsFromClient,
and do an (expensive) validation of the client cert chain.
1) Do we really need to re-validate the client cert on resume (haven't we already
validated it on first-connect)? Can the client switch certs on us?
2) Is it possible to avoid any of this work using a cache? processCertsFromClient looks
very cacheable to my untrained eye. I'm thinking something similar to
ClientSessionCache in tls.Config.
I guess I could turn off client-cert validation by the tls package, and implement my own
cache. It would sure be nice if this was out-of-the-box though!
Session resumption makes this less important, but I don't see why we wouldn't also cache
validation of server certs.
The text was updated successfully, but these errors were encountered:
The expensive bit of the cert-chain validation seems to be the EC computations (my code
spends 50% of CPU time in crypto/elliptic.p256ReduceDegree).
I suggest a good approach might be to memoize the crypto computations (which never
change). So we wouldn't worry about caching usage verifications or expiration times,
and would rely on the standard caching of e.g. CRLs. I believe those checks are
comparatively cheap, and much harder to cache correctly.