随着HTTPS协议的广泛应用,服务器性能急剧下降,且传统安全设备检测失效。于是安全厂商提出了SSL加速。但大部分厂商都是基于开源软件OpenSSL实现的。这种方式的性能较差,所以我们设计实现了新的方案。在内核态实现了TCP代理和HTTPS代理的完整处理,并利用Broadcom平台的硬件加解密引擎进行SSL加速。
本文介绍了整体架构和一些关键问题的处理方法。在TCP代理中主要介绍了乱序报文的处理和重传机制的实现。在HTTPS代理中主要介绍了硬件引擎加解密及异步过程的处理和会话重用。
关键词:TCP代理、HTTPS加速、硬件引擎加解密
ABSTRACT
With the wide use of HTTPS protocol, server performance is downright horribly, and detection of the traditional security equipment fail totally. So the security companies proposed SSL acceleration. But most of them are implemented with OpenSSL, an open source software. Because of its poor performance, we design and implement a new solution. TCP proxy and HTTPS proxy was implemented in the Kernel, and hardware encryption engine of the Broadcom platform was used to accelerate SSL.
This paper introduces the overall architecture and processing method of some key problems. Disordered packets and retransmission mechanism is mainly introduced in the part of TCP proxy. In the part of HTTPS proxy, we mainly introduces the concept of unidirectional and bidirectional proxy, hardware encryption and decryption processing, asynchronous processing, as well as the session reuse.
Keyword:TCP proxy、HTTPS acceleration、hardware encryption and decryption
如今HTTPS协议已被应用在越来越多的场景中。如电子商务、电子邮箱等都已使用HTTPS协议。但随之产生了两个问题。一是基于明文数据检测的安全设备全都失效。例如IPS需要检查数据以发现攻击,而这些数据被SSL协议加密封装后使其无能为力。二是服务器性能急剧下降。由于HTTPS的加解密运算极耗性能,会严重影响服务器的处理能力。根据测试的结果,开启HTTPS后服务器的性能会下降80%左右。
针对这两个问题,很多安全厂商纷纷在自己的Web应用防火墙(Web Application Firewall,简称WAF)产品中增加SSL卸载的功能。所谓SSL卸载,就是WAF产品代替服务器进行HTTPS加解密计算,而WAF产品与服务器之间则使用HTTP协议进行交互。这样既可以对明文数据进行安全检查,又可以缓解服务器的负担。同时W