SSLCACHE (JANUS DEFINE parameter): Difference between revisions
mNo edit summary |
mNo edit summary |
||
(21 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<span class="pageSubtitle">SSLCACHE xxxx — number of cache entries for SSL sessions</span> | |||
<span class="pageSubtitle" | |||
<var>SSLCACHE</var> is a parameter on [[JANUS DEFINE]], which defines and sets characteristics of a Janus port | <var>SSLCACHE</var> is a parameter on <var>[[JANUS DEFINE]]</var>, which defines and sets characteristics of a Janus port. | ||
This parameter specifies the number of entries in virtual storage to be allocated for caching information related to this port's SSL sessions. A Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter supports <var class="product">[http://sirius-software.com/maint/download/jansslr.pdf Janus Network Security]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted sessions. | This parameter specifies the number of entries in virtual storage to be allocated for caching information related to this port's SSL sessions. A Janus port whose definition includes an <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter supports <var class="product">[http://sirius-software.com/maint/download/jansslr.pdf Janus Network Security]</var> SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted sessions. | ||
Line 10: | Line 9: | ||
SSL sessions can persist for a length of time determined by either the client or server. <var class="product">Janus Network Security</var> limits the life-span of SSL V2 connection sessions to the lesser of 2 minutes or the value of <var>[[SSLMAXAGE (JANUS DEFINE parameter)|SSLMAXAGE]]</var>, and it limits SSL V3 and TLS connections to 1440 minutes (24 hours). For most sites, the default <var>SSLCACHE</var> should be sufficient. | SSL sessions can persist for a length of time determined by either the client or server. <var class="product">Janus Network Security</var> limits the life-span of SSL V2 connection sessions to the lesser of 2 minutes or the value of <var>[[SSLMAXAGE (JANUS DEFINE parameter)|SSLMAXAGE]]</var>, and it limits SSL V3 and TLS connections to 1440 minutes (24 hours). For most sites, the default <var>SSLCACHE</var> should be sufficient. | ||
Each session requires approximately 512 bytes per entry to cache session related information. A further SSLMAXCERTL bytes are required to hold server certificates for CLSOCK ports, or to hold client certificates for Janus server ports that request them by including <var>[[SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters)|SSLCLCERT]]</var> or <var>[[SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters)|SSLCLCERTR]]</var>. | Each session requires approximately 512 bytes per entry to cache session related information. A further <var>[[SSLMAXCERTL (JANUS DEFINE parameter)|SSLMAXCERTL]]</var> bytes are required to hold server certificates for <var>[[JANUS DEFINE#type|CLSOCK]]</var> ports, or to hold client certificates for Janus server ports that request them by including <var>[[SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters)|SSLCLCERT]]</var> or <var>[[SSLCLCERT and SSLCLCERTR (JANUS DEFINE parameters)|SSLCLCERTR]]</var>. | ||
If the <var>SSLCACHE</var> value is too small, and a larger than anticipated number of users attempt to access an SSL-secured port, entries in the cache are removed on a least-recently-used basis. This may lead to greater overhead for re-execution of the CPU intensive initial public-key/private-key encryption/decryption operations. The indicator that the <var>SSLCACHE</var> value is not large enough to hold all the contemporaneous SSL sessions is a non-zero value in the "SesNF" column of the [[JANUS SSLSTAT]] command result. This is not necessarily problematic as long as the SesNF value is relatively small, because it is not unreasonable to suffer an occasional lost session in order to reduce virtual storage. | If the <var>SSLCACHE</var> value is too small, and a larger than anticipated number of users attempt to access an SSL-secured port, entries in the cache are removed on a least-recently-used basis. This may lead to greater overhead for re-execution of the CPU intensive initial public-key/private-key encryption/decryption operations. The indicator that the <var>SSLCACHE</var> value is not large enough to hold all the contemporaneous SSL sessions is a non-zero value in the "SesNF" column of the <var>[[JANUS SSLSTAT or SSLSTATUS|JANUS SSLSTAT]]</var> command result. This is not necessarily problematic as long as the SesNF value is relatively small, because it is not unreasonable to suffer an occasional lost session in order to reduce virtual storage. | ||
'''Note:''' <var>SSLCACHE</var> is specified in '''entries''', and the default <var>SSLCACHE</var> allocation is the number of storage entries required for 16 times the number of threads defined on the port. So by default, 10 threads would result in 160 entries; at 512 bytes per entry, this would require 81,920 bytes of virtual storage. 100 threads would require 819,200 bytes. | <p class="note">'''Note:''' <var>SSLCACHE</var> is specified in '''entries''', and the default <var>SSLCACHE</var> allocation is the number of storage entries required for 16 times the number of threads defined on the port. So by default, 10 threads would result in 160 entries; at 512 bytes per entry, this would require 81,920 bytes of virtual storage. 100 threads would require 819,200 bytes. </p> | ||
The default <var>SSLCACHE</var> value is likely to be excessively large for CLSOCK ports that only connect to a single or to a few servers. All CLSOCK connections to a particular server use the same SSL session regardless of how many different threads initiate connections. | The default <var>SSLCACHE</var> value is likely to be excessively large for <var>CLSOCK</var> ports that only connect to a single or to a few servers. All <var>CLSOCK</var> connections to a particular server use the same SSL session regardless of how many different threads initiate connections. | ||
<var>SSLCACHE</var> is valid for SRVSOCK, CLSOCK (but not DEBUGGERCLIENT | <var>SSLCACHE</var> is valid for <var>[[JANUS DEFINE#type|SRVSOCK]]</var>, <var>CLSOCK</var> (but not <var>[[JANUS DEFINE#type|DEBUGGERCLIENT]]</var>, <var>[[JANUS DEFINE#type|WEBSERV]]</var>, <var>[[JANUS DEFINE#type|OPENSERV]]</var>, and <var>[[JANUS DEFINE#type|SDS]]</var> port types. | ||
==See also== | ==See also== | ||
<ul> | <ul> | ||
<li>[[List of Janus commands]] | <li>[[List of Janus commands]] |
Latest revision as of 20:27, 14 October 2014
SSLCACHE xxxx — number of cache entries for SSL sessions
SSLCACHE is a parameter on JANUS DEFINE, which defines and sets characteristics of a Janus port.
This parameter specifies the number of entries in virtual storage to be allocated for caching information related to this port's SSL sessions. A Janus port whose definition includes an SSL parameter supports Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted sessions.
The SSL cache helps limit the CPU overhead of establishing an SSL session. It does not reduce the effectiveness of security, but it does reduce the overhead at the cost of a relatively small amount of virtual storage.
SSL sessions can persist for a length of time determined by either the client or server. Janus Network Security limits the life-span of SSL V2 connection sessions to the lesser of 2 minutes or the value of SSLMAXAGE, and it limits SSL V3 and TLS connections to 1440 minutes (24 hours). For most sites, the default SSLCACHE should be sufficient.
Each session requires approximately 512 bytes per entry to cache session related information. A further SSLMAXCERTL bytes are required to hold server certificates for CLSOCK ports, or to hold client certificates for Janus server ports that request them by including SSLCLCERT or SSLCLCERTR.
If the SSLCACHE value is too small, and a larger than anticipated number of users attempt to access an SSL-secured port, entries in the cache are removed on a least-recently-used basis. This may lead to greater overhead for re-execution of the CPU intensive initial public-key/private-key encryption/decryption operations. The indicator that the SSLCACHE value is not large enough to hold all the contemporaneous SSL sessions is a non-zero value in the "SesNF" column of the JANUS SSLSTAT command result. This is not necessarily problematic as long as the SesNF value is relatively small, because it is not unreasonable to suffer an occasional lost session in order to reduce virtual storage.
Note: SSLCACHE is specified in entries, and the default SSLCACHE allocation is the number of storage entries required for 16 times the number of threads defined on the port. So by default, 10 threads would result in 160 entries; at 512 bytes per entry, this would require 81,920 bytes of virtual storage. 100 threads would require 819,200 bytes.
The default SSLCACHE value is likely to be excessively large for CLSOCK ports that only connect to a single or to a few servers. All CLSOCK connections to a particular server use the same SSL session regardless of how many different threads initiate connections.
SSLCACHE is valid for SRVSOCK, CLSOCK (but not DEBUGGERCLIENT, WEBSERV, OPENSERV, and SDS port types.