Reduce TLS handshake contention on SSLCertContext

c-taylor · c-taylor · commit 0c3530b25ace · 2026-04-17T14:37:09.000-06:00
Replace std::mutex with ts::bravo::shared_mutex on SSLCertContext
to allow true reader concurrency for getCtx() on the TLS handshake
hot path. setCtx() (config reload only) takes an exclusive lock.

Memory trade-off: BRAVO uses 256 cache-line-aligned reader slots
(~16 KB per mutex) vs ~40 bytes for std::mutex or ~56 bytes for
std::shared_mutex on Linux. For 256 certificates this is ~4 MB
(vs 10 KB / 14 KB), a modest cost relative to the SSL_CTX objects
themselves but worth noting for deployments with many certs.
diff --git a/src/iocore/net/P_SSLCertLookup.h b/src/iocore/net/P_SSLCertLookup.h
@@ -26,10 +26,10 @@
 #include "iocore/eventsystem/ConfigProcessor.h"
 #include "iocore/net/SSLTypes.h"
 #include "records/RecCore.h"
+#include "tsutil/Bravo.h"
 
 #include <set>
 #include <openssl/ssl.h>
-#include <mutex>
 #include <unordered_map>
 #include <utility>
 
@@ -94,8 +94,8 @@ using shared_ssl_ticket_key_block = std::shared_ptr<ssl_ticket_key_block>;
 */
 struct SSLCertContext {
 private:
-  mutable std::mutex ctx_mutex;
-  shared_SSL_CTX     ctx;
+  mutable ts::bravo::shared_mutex ctx_mutex;
+  shared_SSL_CTX                  ctx;
 
 public:
   SSLCertContext() : ctx_mutex(), ctx(nullptr), opt(SSLCertContextOption::OPT_NONE), userconfig(nullptr), keyblock(nullptr) {}
diff --git a/src/iocore/net/SSLCertLookup.cc b/src/iocore/net/SSLCertLookup.cc
@@ -237,7 +237,7 @@ SSLCertContext::SSLCertContext(SSLCertContext const &other)
   userconfig = other.userconfig;
   keyblock   = other.keyblock;
   ctx_type   = other.ctx_type;
-  std::lock_guard<std::mutex> lock(other.ctx_mutex);
+  ts::bravo::shared_lock lock(other.ctx_mutex);
   ctx = other.ctx;
 }
 
@@ -249,7 +249,7 @@ SSLCertContext::operator=(SSLCertContext const &other)
     this->userconfig = other.userconfig;
     this->keyblock   = other.keyblock;
     this->ctx_type   = other.ctx_type;
-    std::lock_guard<std::mutex> lock(other.ctx_mutex);
+    ts::bravo::shared_lock lock(other.ctx_mutex);
     this->ctx = other.ctx;
   }
   return *this;
@@ -258,14 +258,14 @@ SSLCertContext::operator=(SSLCertContext const &other)
 shared_SSL_CTX
 SSLCertContext::getCtx()
 {
-  std::lock_guard<std::mutex> lock(ctx_mutex);
+  ts::bravo::shared_lock lock(ctx_mutex);
   return ctx;
 }
 
 void
 SSLCertContext::setCtx(shared_SSL_CTX sc)
 {
-  std::lock_guard<std::mutex> lock(ctx_mutex);
+  std::lock_guard lock(ctx_mutex);
   ctx = std::move(sc);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@ SSLCertContext::SSLCertContext(SSLCertContext const &other)`
`237`	`237`	`userconfig = other.userconfig;`
`238`	`238`	`keyblock = other.keyblock;`
`239`	`239`	`ctx_type = other.ctx_type;`
`240`		`- std::lock_guard<std::mutex> lock(other.ctx_mutex);`
	`240`	`+ ts::bravo::shared_lock lock(other.ctx_mutex);`
`241`	`241`	`ctx = other.ctx;`
`242`	`242`	`}`
`243`	`243`
`@@ -249,7 +249,7 @@ SSLCertContext::operator=(SSLCertContext const &other)`
`249`	`249`	`this->userconfig = other.userconfig;`
`250`	`250`	`this->keyblock = other.keyblock;`
`251`	`251`	`this->ctx_type = other.ctx_type;`
`252`		`- std::lock_guard<std::mutex> lock(other.ctx_mutex);`
	`252`	`+ ts::bravo::shared_lock lock(other.ctx_mutex);`
`253`	`253`	`this->ctx = other.ctx;`
`254`	`254`	`}`
`255`	`255`	`return *this;`
`@@ -258,14 +258,14 @@ SSLCertContext::operator=(SSLCertContext const &other)`
`258`	`258`	`shared_SSL_CTX`
`259`	`259`	`SSLCertContext::getCtx()`
`260`	`260`	`{`
`261`		`- std::lock_guard<std::mutex> lock(ctx_mutex);`
	`261`	`+ ts::bravo::shared_lock lock(ctx_mutex);`
`262`	`262`	`return ctx;`
`263`	`263`	`}`
`264`	`264`
`265`	`265`	`void`
`266`	`266`	`SSLCertContext::setCtx(shared_SSL_CTX sc)`
`267`	`267`	`{`
`268`		`- std::lock_guard<std::mutex> lock(ctx_mutex);`
	`268`	`+ std::lock_guard lock(ctx_mutex);`
`269`	`269`	`ctx = std::move(sc);`
`270`	`270`	`}`
`271`	`271`