mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-07-06 19:28:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add SNI support to redbean and improve SSL perf

Browse source 
This change makes SSL virtual hosting possible. You can now load
multiple certificates for multiple domains and redbean will just
figure out which one to use, even if you only have 1 ip address.
You can also use a jumbo certificate that lists all your domains
in the the subject alternative names.

This change also makes performance improvements to MbedTLS. Here
are some benchmarks vs. cc1920749e

                                   BEFORE    AFTER   (microsecs)
suite_ssl.com                     2512881   191738 13.11x faster
suite_pkparse.com                   36291     3295 11.01x faster
suite_x509parse.com                854669   120293  7.10x faster
suite_pkwrite.com                    6549     1265  5.18x faster
suite_ecdsa.com                     53347    18778  2.84x faster
suite_pk.com                        49051    18717  2.62x faster
suite_ecdh.com                      19535     9502  2.06x faster
suite_shax.com                      15848     7965  1.99x faster
suite_rsa.com                      353257   184828  1.91x faster
suite_x509write.com                162646    85733  1.90x faster
suite_ecp.com                       20503    11050  1.86x faster
suite_hmac_drbg.no_reseed.com       19528    11417  1.71x faster
suite_hmac_drbg.nopr.com            12460     8010  1.56x faster
suite_mpi.com                      687124   442661  1.55x faster
suite_hmac_drbg.pr.com              11890     7752  1.53x faster

There aren't any special tricks to the performance imporvements.
It's mostly due to code cleanup, assembly and intel instructions
like mulx, adox, and adcx.
This commit is contained in:
Justine Tunney 2021-07-19 14:55:20 -07:00
parent f3e28aa192
commit 398f0c16fb
190 changed files with 14367 additions and 8928 deletions
Download patch file Download diff file Expand all files Collapse all files

30
tool/net/help.txt
View file

@ -231,6 +231,27 @@ SECURITY
redbean.com -dD /var/www/html
You can load as many public and private keys as you want. They can be
specified as pem, der, concatenated ascii, bundles, or chains. If you
don't specify specific chains then redbean will automatically infer it
based on SUBJECT → ISSUER relationships. Your redbean won't serve the
self-signed root certificate at the end of the chain where self-signed
is defined as SUBJECT == ISSUER. Otherwise you can control when chains
terminate by setting the max length constraint to zero.
Your redbean supports SSL virtual hosting. 99.76% of TLS clients send
a Server Name Indicator (SNI), which is matched against DNS or IPs in
Subject Alternative Names (SAN) or the Common Name (CN) of subject if
SAN isn't used. This means you don't need to reveal your whole domain
portfolio to each client just to have ssl. You can just use different
certificates for each domain if you choose to do so.
Your redbean has been secured with algorithms so strong that, until a
few decades ago, it was illegal to share them with with those outside
the United States. By default, your redbean uses Suite C cryptography
since it goes a little bit faster. If you want stronger Suite B stuff
then you can pass the -B flag.
SSL verbosity is controlled as follows for troubleshooting:
-V log ssl errors
@ -785,6 +806,15 @@ FUNCTIONS
ProgramPrivateKey(Slurp("/etc/letsencrypt/fullchain.pem")) for
local file system only.
ProgramSslTicketLifetime(seconds:int)
Defaults to 86400 (24 hours). This may be set to ≤0 to disable
SSL tickets. It's a good idea to use these since it increases
handshake performance 10x and eliminates a network round trip.
EvadeDragnetSurveillance(bool)
If this option is programmed then redbean will not transmit a
Server Name Indicator (SNI) when performing Fetch() requests.
IsDaemon() → bool
Returns true if -d flag was passed to redbean.