[PATCH] SSL: mark connections as non-reusable before SSL handshake

Piotr Sikora piotr at cloudflare.com
Mon Jun 22 21:33:31 UTC 2015

Hey Maxim,

> As far as I understand, this change isn't useable with an
> unmodified nginx

It is, since nginx modules are free to install those SSL callbacks
(for example: ngx_lua's ssl_certificate_by_lua).

> (and introduces some minor pessimization in an
> unlikely case when first ngx_ssl_handshake() will not return

Since SSL/TLS handshake requires at least 1 RTT (even in case of
session resumption), the only case in which ngx_ssl_handshake()
wouldn't return NGX_AGAIN is when the handshake failed based on
ClientHello (no shared ciphers, inappropriate fallback, etc.), in
which case the connection will be closed and
ngx_reusable_connection(c, 0) will be called from
ngx_close_connection() anyway.

Calling ngx_reusable_connection(c, 0) twice is basically a no-op, so I
don't really consider this a pessimization.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list