Performance issue with redfish TLS handshake

sharad yadav sharad.openbmc at gmail.com
Tue Oct 12 01:49:11 AEDT 2021 

Thanks for the help. It worked out with the client setting keepalive=true.
Though curl is pre-enabled with keepalive=true. Below curl command worked
out to avoid TLS handshake in subsequent calls.
curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json" -X
GET https://${bmc}/redfish/v1/Systems/system https://${bmc}/redfish/v1/Syst
ems/system

Thanks,
Sharad

On Wed, 6 Oct 2021 at 00:23, Ed Tanous <edtanous at google.com> wrote:

> On Tue, Oct 5, 2021 at 11:48 AM John Broadbent <jebr at google.com> wrote:
> >
> >
> >
> > On Tue, Oct 5, 2021 at 1:42 AM sharad yadav <sharad.openbmc at gmail.com>
> wrote:
> >>
> >> Hi All,
> >>
> >> We have tried to measure redfish APIs performance benchmarking on
> AST2600.
> >> On redfish GET request there is a penalty added for ~100ms on TLS
> handshake at
>
> This is a little higher than I would've expected, but not outside the
> realm of reasonable.  Can you triage what cipher suite you're
> negotiating between the client and server?  Are you using a DH+EC key
> cipher?  That should be faster than RSA.
>
> >>
> https://github.com/openbmc/bmcweb/blob/master/http/http_connection.hpp#L297
> >>
> >> On trying below all methods, each request calls `async_handshake` which
> adds 100ms delay
> >> before the actual redfish handler code gets called.
> >> Method 1:
> >> curl --insecure -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/Sessions
> -d    '{"UserName":"root", "Password":"0penBmc"}'
> >> export token=<Read X-Auth-Token from the headers.txt>
> >> curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json"
> -X GET https://${bmc}/redfish/v1/Systems/system
> >>
> >> Method 2:
> >> export token=`curl -k -H "Content-Type: application/json" -X POST
> https://${bmc}/login -d '{"username" : "root", "password" : "0penBmc"}' |
> grep token | awk '{print $2;}' | tr -d '"'`
> >> curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json"
> -X GET https://${bmc}/redfish/v1/Systems/system
> >>
> >> Method 3:
> >> curl https://${bmc}/redfish/v1/Systems/system --insecure -u
> root:0penBmc -L
> >>
> >> We want to avoid this ~100ms delay for better performance.
> >> Please suggest if there is a way to skip the `async_handshake` call by
> modifying the requests method?
> >>
> >> Thanks,
> >> Sharad
> >
> >
> >
> >
> > There is logic in the crow::connection object that should allow you to
> use tcp keep-alive and avoid the handshake in start.
> >
> https://github.com/openbmc/bmcweb/blob/master/http/http_connection.hpp#L694
> >
> > I have looked at the connection class in bmcweb before, and found it
> difficult to understand.
> > However, this is a simplified version of the states within the
> connection class:
> >
> > start->doReadHeaders->doRead->handle->completeRequest->doWrite[if keep
> alive]->doReadHeaders
> >
> > The async_handshake is in the start, so if you are able to use the same
> connection, you should only pay for the handshake once.
> > Ed Tanous and Gunnar Mills are the definitive experts.
>
> Yep, John got this exactly right.  Make sure whatever client you're
> using is taking advantage of keepalive, and you will only take this
> TLS performance hit for the first request.
>
> >
> >
> > Let us know what you find.
> > Thank you
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20211011/c74cb1fb/attachment-0001.htm>

More information about the openbmc mailing list