[nginx] SSL: adjust buffer used by OpenSSL during handshake (tic...
Maxim Dounin
mdounin at mdounin.ru
Fri Sep 27 15:39:51 UTC 2013
details: http://hg.nginx.org/nginx/rev/a720f0b0e083
branches:
changeset: 5395:a720f0b0e083
user: Maxim Dounin <mdounin at mdounin.ru>
date: Fri Sep 27 19:39:33 2013 +0400
description:
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
diffstat:
src/event/ngx_event_openssl.c | 26 ++++++++++++++++++++++++++
src/event/ngx_event_openssl.h | 1 +
2 files changed, 27 insertions(+), 0 deletions(-)
diffs (54 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -521,6 +521,7 @@ ngx_ssl_verify_callback(int ok, X509_STO
static void
ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
{
+ BIO *rbio, *wbio;
ngx_connection_t *c;
if (where & SSL_CB_HANDSHAKE_START) {
@@ -531,6 +532,31 @@ ngx_ssl_info_callback(const ngx_ssl_conn
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
}
}
+
+ if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
+ c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+
+ if (!c->ssl->handshake_buffer_set) {
+ /*
+ * By default OpenSSL uses 4k buffer during a handshake,
+ * which is too low for long certificate chains and might
+ * result in extra round-trips.
+ *
+ * To adjust a buffer size we detect that buffering was added
+ * to write side of the connection by comparing rbio and wbio.
+ * If they are different, we assume that it's due to buffering
+ * added to wbio, and set buffer size.
+ */
+
+ rbio = SSL_get_rbio(ssl_conn);
+ wbio = SSL_get_wbio(ssl_conn);
+
+ if (rbio != wbio) {
+ (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
+ c->ssl->handshake_buffer_set = 1;
+ }
+ }
+ }
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -48,6 +48,7 @@ typedef struct {
unsigned buffer:1;
unsigned no_wait_shutdown:1;
unsigned no_send_shutdown:1;
+ unsigned handshake_buffer_set:1;
} ngx_ssl_connection_t;
More information about the nginx-devel
mailing list