cache NIOSSLContext (saves 27k allocs per conn)

Motivation: At the moment, AHC assumes that creating a `NIOSSLContext` is both cheap and doesn't block. Neither of these two assumptions are true. To create a `NIOSSLContext`, BoringSSL will have to read a lot of certificates in the trust store (on disk) which require a lot of ASN1 parsing and much much more. On my Ubuntu test machine, creating one `NIOSSLContext` is about 27,000 allocations!!! To make it worse, AHC allocates a fresh `NIOSSLContext` for _every single connection_, whether HTTP or HTTPS. Yes, correct. Modification: - Cache NIOSSLContexts per TLSConfiguration in a LRU cache - Don't get an NIOSSLContext for HTTP (plain text) connections Result: New connections should be _much_ faster in general assuming that you're not using a different TLSConfiguration for every connection.

Author: weissi

Sources/AsyncHTTPClient/ConnectionPool.swift

@@ -18,6 +18,7 @@ import NIO
 import NIOConcurrencyHelpers
 import NIOHTTP1
 import NIOHTTPCompression
+import NIOSSL
 import NIOTLS
 import NIOTransportServices
 
@@ -41,6 +42,8 @@ final class ConnectionPool{
 
 privateletbackgroundActivityLogger:Logger
 
+letsslContextCache=SSLContextCache()
+
 init(configuration:HTTPClient.Configuration, backgroundActivityLogger:Logger){
 self.configuration = configuration
 self.backgroundActivityLogger = backgroundActivityLogger
@@ -106,6 +109,8 @@ final class ConnectionPool{
 self.providers.values
 }
 
+self.sslContextCache.shutdown()
+
 returnEventLoopFuture.reduce(true, providers.map{ $0.close()}, on: eventLoop){ $0 && $1 }
 }
 
@@ -148,7 +153,7 @@ final class ConnectionPool{
 varhost:String
 varport:Int
 varunixPath:String
-vartlsConfiguration:BestEffortHashableTLSConfiguration?
+privatevartlsConfiguration:BestEffortHashableTLSConfiguration?
 
 enumScheme:Hashable{
 case http
@@ -249,14 +254,15 @@ class HTTP1ConnectionProvider{
 }else{
  logger.trace("opening fresh connection (found matching but inactive connection)",
  metadata:["ahc-dead-connection":"\(connection)"])
-self.makeChannel(preference: waiter.preference).whenComplete{ result in
+self.makeChannel(preference: waiter.preference,
+ logger: logger).whenComplete{ result in
 self.connect(result, waiter: waiter, logger: logger)
 }
 }
 }
 case.create(let waiter):
  logger.trace("opening fresh connection (no connections to reuse available)")
-self.makeChannel(preference: waiter.preference).whenComplete{ result in
+self.makeChannel(preference: waiter.preference, logger: logger).whenComplete{ result in
 self.connect(result, waiter: waiter, logger: logger)
 }
 case.replace(let connection,let waiter):
@@ -266,7 +272,7 @@ class HTTP1ConnectionProvider{
  logger.trace("opening fresh connection (replacing exising connection)",
  metadata:["ahc-old-connection":"\(connection)",
 "ahc-waiter":"\(waiter)"])
-self.makeChannel(preference: waiter.preference).whenComplete{ result in
+self.makeChannel(preference: waiter.preference, logger: logger).whenComplete{ result in
 self.connect(result, waiter: waiter, logger: logger)
 }
 }
@@ -434,8 +440,14 @@ class HTTP1ConnectionProvider{
 returnself.closePromise.futureResult.map{true}
 }
 
-privatefunc makeChannel(preference:HTTPClient.EventLoopPreference)->EventLoopFuture<Channel>{
-returnNIOClientTCPBootstrap.makeHTTP1Channel(destination:self.key, eventLoop:self.eventLoop, configuration:self.configuration, preference: preference)
+privatefunc makeChannel(preference:HTTPClient.EventLoopPreference,
+ logger:Logger)->EventLoopFuture<Channel>{
+returnNIOClientTCPBootstrap.makeHTTP1Channel(destination:self.key,
+ eventLoop:self.eventLoop,
+ configuration:self.configuration,
+ sslContextCache:self.pool.sslContextCache,
+ preference: preference,
+ logger: logger)
 }
 
  /// A `Waiter` represents a request that waits for a connection when none is

Sources/AsyncHTTPClient/HTTPClient.swift

@@ -900,7 +900,9 @@ extension ChannelPipeline{
 try sync.addHandler(handler)
 }
 
-func syncAddLateSSLHandlerIfNeeded(for key:ConnectionPool.Key, tlsConfiguration:TLSConfiguration?, handshakePromise:EventLoopPromise<Void>){
+func syncAddLateSSLHandlerIfNeeded(for key:ConnectionPool.Key,
+ sslContext:NIOSSLContext,
+ handshakePromise:EventLoopPromise<Void>){
 precondition(key.scheme.requiresTLS)
 
 do{
@@ -913,10 +915,9 @@ extension ChannelPipeline{
 try synchronousPipelineView.addHandler(eventsHandler, name:TLSEventsHandler.handlerName)
 
  // Then we add the SSL handler.
-lettlsConfiguration= tlsConfiguration ??TLSConfiguration.forClient()
-letcontext=tryNIOSSLContext(configuration: tlsConfiguration)
 try synchronousPipelineView.addHandler(
-tryNIOSSLClientHandler(context: context, serverHostname:(key.host.isIPAddress || key.host.isEmpty)?nil: key.host),
+tryNIOSSLClientHandler(context: sslContext,
+ serverHostname:(key.host.isIPAddress || key.host.isEmpty)?nil: key.host),
  position:.before(eventsHandler)
 )
 }catch{

Sources/AsyncHTTPClient/LRUCache.swift

@@ -0,0 +1,107 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2021 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+structLRUCache<Key:Equatable&Hashable,
+ Value>{
+privatetypealiasGeneration=UInt64
+privatestructElement{
+vargeneration:Generation
+varkey:Key
+varvalue:Value
+}
+
+privateletcapacity:Int
+privatevargeneration:Generation=0
+privatevarelements:[Element]
+
+init(capacity:Int=8){
+precondition(capacity >0,"capacity needs to be > 0")
+self.capacity = capacity
+self.elements =[]
+self.elements.reserveCapacity(capacity)
+}
+
+privatemutatingfunc findIndex(key:Key)->Int?{
+self.generation +=1
+
+letfound=self.elements.firstIndex{ element in
+ element.key == key
+}
+
+return found
+}
+
+mutatingfunc find(key:Key)->Value?{
+iflet found =self.findIndex(key: key){
+self.elements[found].generation =self.generation
+returnself.elements[found].value
+}else{
+returnnil
+}
+}
+
+@discardableResult
+mutatingfunc append(key:Key, value:Value)->Value{
+letnewElement=Element(generation:self.generation,
+ key: key,
+ value: value)
+iflet found =self.findIndex(key: key){
+self.elements[found]= newElement
+return value
+}
+
+ifself.elements.count <self.capacity {
+self.elements.append(newElement)
+return value
+}
+assert(self.elements.count ==self.capacity)
+assert(self.elements.count >0)
+
+letminIndex=self.elements.minIndex{ l, r in
+ l.generation < r.generation
+}!
+
+self.elements.swapAt(minIndex,self.elements.endIndex -1)
+self.elements.removeLast()
+self.elements.append(newElement)
+
+return value
+}
+
+mutatingfunc findOrAppend(key:Key, _ valueGenerator:(Key)->Value)->Value{
+iflet found =self.find(key: key){
+return found
+}
+
+returnself.append(key: key, value:valueGenerator(key))
+}
+}
+
+extensionArray{
+func minIndex(by areInIncreasingOrder:(Element,Element)throws->Bool)rethrows->Index?{
+varminSoFar:(Index,Element)?
+
+forindexElementinself.enumerated(){
+iflet min = minSoFar {
+iftryareInIncreasingOrder(indexElement.1, min.1){
+ minSoFar = indexElement
+}
+}else{
+ minSoFar = indexElement
+}
+}
+
+return minSoFar.map{ $0.0}
+}
+}

Sources/AsyncHTTPClient/NIOTransportServices/NWErrorHandler.swift

@@ -13,13 +13,14 @@
 //===----------------------------------------------------------------------===//
 
 #if canImport(Network)
-
 import Network
-import NIO
-import NIOHTTP1
-import NIOTransportServices
+#endif
+import NIO
+import NIOHTTP1
+import NIOTransportServices
 
-extensionHTTPClient{
+extensionHTTPClient{
+#if canImport(Network)
 publicstructNWPOSIXError:Error,CustomStringConvertible{
  /// POSIX error code (enum)
 publicleterrorCode:POSIXErrorCode
@@ -57,28 +58,35 @@
 
 publicvardescription:String{returnself.reason }
 }
+#endif
 
-@available(macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0,*)
-classNWErrorHandler:ChannelInboundHandler{
-typealiasInboundIn=HTTPClientResponsePart
+classNWErrorHandler:ChannelInboundHandler{
+typealiasInboundIn=HTTPClientResponsePart
 
-func errorCaught(context:ChannelHandlerContext, error:Error){
-context.fireErrorCaught(NWErrorHandler.translateError(error))
-}
+func errorCaught(context:ChannelHandlerContext, error:Error){
+ context.fireErrorCaught(NWErrorHandler.translateError(error))
+}
 
-staticfunc translateError(_ error:Error)->Error{
-iflet error = error as?NWError{
-switch error {
-case.tls(let status):
-returnNWTLSError(status, reason: error.localizedDescription)
-case.posix(let errorCode):
-returnNWPOSIXError(errorCode, reason: error.localizedDescription)
-default:
-return error
+staticfunc translateError(_ error:Error)->Error{
+#if canImport(Network)
+if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0,*){
+iflet error = error as?NWError{
+switch error {
+case.tls(let status):
+returnNWTLSError(status, reason: error.localizedDescription)
+case.posix(let errorCode):
+returnNWPOSIXError(errorCode, reason: error.localizedDescription)
+default:
+return error
+}
 }
+return error
+}else{
+preconditionFailure("\(self) used on a non-NIOTS Channel")
 }
-return error
-}
+#else
+preconditionFailure("\(self) used on a non-NIOTS Channel")
+#endif
 }
 }
-#endif
+}

Sources/AsyncHTTPClient/SSLContextCache.swift

@@ -0,0 +1,102 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2021 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Logging
+import NIO
+import NIOConcurrencyHelpers
+import NIOSSL
+
+classSSLContextCache{
+privatevarstate=State.activeNoThread
+privateletlock=Lock()
+privatevarsslContextCache=LRUCache<BestEffortHashableTLSConfiguration,NIOSSLContext>()
+privateletthreadPool=NIOThreadPool(numberOfThreads:1)
+
+enumState{
+case activeNoThread
+case active
+case shutDown
+}
+
+init(){}
+
+func shutdown(){
+self.lock.withLock{()->Voidin
+switchself.state {
+case.activeNoThread:
+self.state =.shutDown
+case.active:
+self.state =.shutDown
+self.threadPool.shutdownGracefully{ maybeError in
+precondition(maybeError ==nil,"\(maybeError!)")
+}
+case.shutDown:
+preconditionFailure("SSLContextCache shut down twice")
+}
+}
+}
+
+deinit{
+assert(self.state ==.shutDown)
+}
+}
+
+extensionSSLContextCache{
+func sslContext(tlsConfiguration:TLSConfiguration,
+ eventLoop:EventLoop,
+ logger:Logger)->EventLoopFuture<NIOSSLContext>{
+letearlyExit=self.lock.withLock{()->EventLoopFuture<NIOSSLContext>?in
+switchself.state {
+case.activeNoThread:
+self.state =.active
+self.threadPool.start()
+returnnil
+case.active:
+returnnil
+case.shutDown:
+structSSLContextCacheShutdownError:Error{}
+return eventLoop.makeFailedFuture(SSLContextCacheShutdownError())
+}
+}
+guard earlyExit ==nilelse{
+return earlyExit!
+}
+
+leteqTLSConfiguration=BestEffortHashableTLSConfiguration(wrapping: tlsConfiguration)
+letsslContext=self.lock.withLock{
+self.sslContextCache.find(key: eqTLSConfiguration)
+}
+
+iflet sslContext = sslContext {
+ logger.debug("found SSL context in cache",
+ metadata:["ahc-tls-config":"\(tlsConfiguration)"])
+return eventLoop.makeSucceededFuture(sslContext)
+}
+
+ logger.debug("creating new SSL context",
+ metadata:["ahc-tls-config":"\(tlsConfiguration)"])
+letnewSSLContext=self.threadPool.runIfActive(eventLoop: eventLoop){
+tryNIOSSLContext(configuration: tlsConfiguration)
+}
+
+ newSSLContext.whenSuccess{(newSSLContext:NIOSSLContext)->Voidin
+self.lock.withLock{()->Voidin
+self.sslContextCache.append(key: eqTLSConfiguration,
+ value: newSSLContext)
+}
+}
+
+return newSSLContext
+}
+}