|
| 1 | +# curl handshake |
| 2 | + |
| 3 | +I was invited by [Daniel Stenberg](https://daniel.haxx.se) to work with him on [curl](https://curl.se) improvements sponsored by the [Sovereign Tech Fund](https://sovereigntechfund.de), an initiative of the German government to strengthen digital infrastructure and open source in the public interests. [Daniel blogged about it](https://daniel.haxx.se/blog/2022/10/19/funded-curl-improvements/). |
| 4 | + |
| 5 | +Via this blog I try to give some updates on my ongoing work in this project, not least for transparency. This is deeply technical gobbledygook. |
| 6 | + |
| 7 | +## A Sleigh of Hand |
| 8 | + |
| 9 | +Below, I describe an optimization in curl's internals that you may find interesting for your own |
| 10 | +work. Well, if you work on TLS connections from a client side. Which limits the target audience |
| 11 | +somewhat, agreed. Did I mention this was technical gobbledygook? |
| 12 | + |
| 13 | +## TLS Handshake Performance (OpenSSL) |
| 14 | + |
| 15 | +Nicolas Buch opened [#10389](https://github.com/curl/curl/issues/10389) last |
| 16 | +week in which he noted degraded performance in `curl` 7.87 compared to 7.86. |
| 17 | +In particular the TTFB (Time to First Byte, e.g. when the first byte of the server response is received) had almost doubled. |
| 18 | + |
| 19 | +We checked the numbers from our current development version and they were not quite as bad, but still worse. He reported on his tests: |
| 20 | + |
| 21 | +``` |
| 22 | +# v7.86.0 |
| 23 | +Establish Connection: 0.020887s |
| 24 | +TTFB: 0.089944s |
| 25 | +Total: 0.091720s |
| 26 | +
|
| 27 | +# v7.87.1 |
| 28 | +Establish Connection: 0.020495s |
| 29 | +TTFB: 0.106032s |
| 30 | +Total: 0.108102s |
| 31 | +``` |
| 32 | + |
| 33 | +~16ms difference in TTFB. Not the world, but not nice either. So, I dug into the recent implementation. |
| 34 | + |
| 35 | +With the introduction of connection filters, code had become quite different from 7.86. There were more small writes to the TCP connection now, maybe buffering those could help? But buffering is a tricky thing to do right and being close to our 7.88 release, I was hesitant to tackle that. |
| 36 | + |
| 37 | +Then I spotted that we spend quite some time in parsing the TLS trust anchors, e.g. the CA bundle, commonly placed in `/etc/ssl/cert.pem`. curl needs those to verify that the certificate presented by a server is indeed coming from on of these anchors. So, there is not way to avoid reading them. |
| 38 | + |
| 39 | +However, there is no need for them in order to send the `ClientHello`, e.g. the first TLS message, to a server. You need them only when the reply from the server comes in. So, we moved this part of the code: |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +And got some nice numbers as result (from @bagder's machine to https://google.com): |
| 44 | + |
| 45 | +``` |
| 46 | +7.81 TTFB: 0.108146s |
| 47 | +7.86 TTFB: 0.095409s 7.88 TTFB: 0.062513s |
| 48 | +7.87 TTFB: 0.279984s |
| 49 | +
|
| 50 | +``` |
| 51 | + |
| 52 | +This gain applies only to the first request that curl makes. Applications that make use of `libcurl` and live a bit longer will not notice that much. But users of the `curl` command line will get some speedier replies. |
| 53 | + |
| 54 | +Hope it serves you well! |
0 commit comments