> On 12 Oct 2021, at 10:41, sun edward <sunzhiyong3210@gmail.com> wrote:
>
> Hi,
> There is a changeset fe919fd63b0b "client certificate validation with OCSP" , after merge this changeset, the performance seems not as good as before, the avg response time increased about 50~60ms. is there a way to optimize this problem?
>

Are you referring to processing 0-RTT HTTP/3 requests?

Anyway, please try this change and report back.

# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1634038108 -10800
# Tue Oct 12 14:28:28 2021 +0300
# Branch quic
# Node ID af4bd86814fdd0a2da3f7b8a965c41923ebeedd5
# Parent 9d47948842a3fd1c658a9676e638ef66207ffdcd
QUIC: speeding up processing 0-RTT.

After fe919fd63b0b, processing 0-RTT was postponed until after handshake
completion (typically seen as 2-RTT), including both ssl_ocsp on and off.
This change allows to start OCSP checks with reused SSL handshakes,
which eliminates 1 additional RTT allowing to process 0-RTT as expected.

diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -410,6 +410,10 @@ ngx_quic_crypto_input(ngx_connection_t *
return NGX_ERROR;
}

+ if (SSL_session_reused(c->ssl->connection)) {
+ goto ocsp;
+ }
+
return NGX_OK;
}

@@ -463,6 +467,7 @@ ngx_quic_crypto_input(ngx_connection_t *
return NGX_ERROR;
}

+ocsp:
rc = ngx_ssl_ocsp_validate(c);

if (rc == NGX_ERROR) {

--
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel