This document discusses optimizations for SSL-TLS certificate caching on multicore systems to improve performance for TCP-SSL proxy services handling high traffic volumes. It outlines issues with single-core certificate caching like duplicate generation and proposes a solution to have each core generate and cache its own certificates while a single thread manages the overall cache for validity. Benchmark results showed this approach helped accelerate caching and lookups to support over 30,000 connections per second.

1. SSL-TLS Certificate Cachingonmulticore
Optimizations for SSL-TLS Certificate Cachingon
multicore

2. SSL-TLS Certificate Cachingonmulticore
Introduction
Technological advancementinmobility sectorhasledtouse of smarterappliancesandservicesforday
to day taskand chores.Thishas ledto increase tonetworktrafficinVPN connectionsacrossthe globe in
the last decade.Withrise of demandin faster,mobile andlessgeographical constraintworkplace;
trafficcontenthas movedfromprivate topublicdomainaccess.Sharingorconnectingtopublicdomain
alsoexposesthe system toattackson Webclientandserver infrastructures.
Thisbringsin the needtomonitorthe trafficbothinboundandoutboundfromsecure container(canbe
eitherClientorServerservices).Thiscanbe done efficientlybyemployingIDSorIPSon the varyinglive
traffic(1G to 20G) basedon connections,contentsize,bandwidthetc...
Abstract
Thiswhite paperexaminesvarious optimizationsoncertificate cachinglogiconmulticore forTCP-SSL
Proxyservice tocater to 20G line rate processingforanaverage of 30000 connections/sec. Italso
summarizesvariousapproachesanditsbenefitsandpitfallsexploredbefore implementingthe final
solutiontoo.
Issue
In SSL proxywebclientscanrequestforwebpagessupportedminimumof 3 or more certificatesper
connection.GeneratingcertificatesforeachproxySSLwill seriouslydeteriorate performance of
Interceptiondevice inplace. Ideal wayoutistocache the certificatesrecentlygenerated.Reuse the
validcertificate (if fieldsof originalcertificate remainssame, certificateisnotrevoked,TIBhasnot
expired).

3. SSL-TLS Certificate Cachingonmulticore
Followingreasonscanadverselyaffectcachingperformance
1. Requestforsame webpage fromdifferentconnectionswillbe placedondifferentthreads
(processingcores) aspartof concurrency.
2. All threads(processingcores) cangenerate certificateswithsame contenttobe cachedleading
to cache space congestion.
3. Same certificate mightbe used informultipleIPof webservers(DNSallow same service to
available forsame webservercontent). GeneratingandCache perIPwill be costlyandmemory
hogging.
4. Cleanupof cache can be periodicorthresholddriven,there are chanceswithinthe time period
requestforCertificate lookupwill yieldastale cachedcertificate.
5. Lookupfor certificate istime bounded,increase intime complexitywillbe TLS-SSLconnection
termination.
Solution
To addressabove issuesfollowingideaswere developedfromgroundup
1. Allowcreationof newcertificatesoneachSSLprocessingcores.
2. Allowpercore fixedqueuetoholdcertificate descriptor(IP,Serial Number,DigestInfoand
PointertoCertificate inmemory).
3. Run Certificate managementlogiconsingle thread(representing single processingcore);which
scans fornewcertificate descriptorforSSLcores,checksthe contentsare valid,markcached
certificate againstrevocationlist,periodicflushthe invalidcertificatefromcache oncongestion
or periodictime out.
4. Place certificate lookupinindex basedhash-arraylookupforcertificate.Whichdeliversindex to
certificate buffermemoryfromhuge page.
5. Use of vector ISA reducestime incalculatinghashesandindexforlookup.

4. SSL-TLS Certificate Cachingonmulticore
Application
Future Roadmap
 Port the solutionfromRISCmulticore toMIPS,PPCand ARMsolutionsforSSLproxy.
Conclusion
Utilizingmulticoreandoptimizationtechniquesspecifictothe probleminhand;we were able to
accelerate certificate cachingandlookupwithsimpleandpragmaticoptimizations.
0
5000
10000
15000
20000
25000
30000
35000
1024 2048 4096
8000
3400
1200
30500
12000
7500
CONNECTIONPERSEC
KEY SIZE
Performance Comparision
Generated Cached