Persistent HTTP(S) connections in opkg
Hauke Mehrtens
hauke at hauke-m.de
Thu Dec 31 14:54:49 EST 2020
On 12/31/20 8:40 PM, Hauke Mehrtens wrote:
> On 12/30/20 7:14 PM, Baptiste Jonglez wrote:
>> Following the discussion in
>> http://lists.openwrt.org/pipermail/openwrt-devel/2020-November/032297.html
>>
>>
>> There are basically two options to implement persistent connections in
>> opkg:
>>
>> 1) keep calling "wget", but pass the list of all packages to download at
>> once. On the host, wget already implements persistent connections.
>> For devices, we would need to implement persistent connections in
>> uclient-fetch (which is what "wget" actually points to).
>>
>> 2) switch to using a HTTP library (libuclient or libcurl), so that we can
>> keep some TCP/TLS/HTTP context between downloads.
>>
>> The first solution has a major drawback on devices: all packages would
>> need to be downloaded to /tmp, which will consume memory. Currently,
>> opkg
>> processes packages individually, so only one package at a time is stored
>> in /tmp.
>>
>> The second solution adds a new library dependency, and we need to make
>> sure that it works both on the host and on targets. Currently, we don't
>> make libuclient available to the host build system. We would need to
>> build it for the host and link opkg statically against it (like it's done
>> for libubox).
>>
>> Overall, I think the second solution makes more sense and is easier to
>> integrate.
>> I would go with libuclient because we already have it available on
>> devices.
>>
>> Any thoughts?
>>
>> Thanks,
>> Baptiste
>
> Hi,
>
> I looked into performance problems of LuCI when using https some time ago.
>
> The slow part was the handshake, the normal stream cipher is relatively
> fast, even very slow devices should be able to do multiple MB/s.
>
> On the server side the ECC handshake was much faster, I think I measured
> values like 1 second (RSA) vs. 0.3 seconds (ECC) for the handshake on a
> Lantiq MIPS 24Kec CPU with mbedtls, the RSA handshake was much faster
> (0.5 seconds) with openssl.
>
> We should activate support for ECC certificates on
> https://downloads.openwrt.org, I think it is possible to use both RSA
> and ECC on the server and then decide based on what the client supports
> and wants. In OpenWrt we could use then ECC to authenticate the server.
> The crypto parts should already be there as we need ECDH for SAE in
> hostapd.
>
> We could use TLS Session Resumption, the SSL libraries should support
> it, this way we can easily reuse the same session for the next download.
> Browsers do this to only do one SSL handshake and then have multiple TCP
> connections to the server to download the material in parallel.
>
> Hauke
The changes I did are here:
https://git.openwrt.org/f2c8f6dc3249b506b915741d12905402dfffe162
https://git.openwrt.org/e8a1469
These are only for mbedtls and not for openssl/wolfssl it could be that
this causes some problems. I would also assume that openssl is much
faster than wolfssl, so we do not see these problems so much with openssl.
Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201231/a0809363/attachment.sig>
More information about the openwrt-devel
mailing list