[nginx] SSL: adjust buffer used by OpenSSL during handshake (tic...

Maxim Dounin mdounin at mdounin.ru
Fri Sep 27 15:39:51 UTC 2013 

details:   http://hg.nginx.org/nginx/rev/a720f0b0e083
branches:  
changeset: 5395:a720f0b0e083
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Fri Sep 27 19:39:33 2013 +0400
description:
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).

diffstat:

 src/event/ngx_event_openssl.c |  26 ++++++++++++++++++++++++++
 src/event/ngx_event_openssl.h |   1 +
 2 files changed, 27 insertions(+), 0 deletions(-)

diffs (54 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -521,6 +521,7 @@ ngx_ssl_verify_callback(int ok, X509_STO
 static void
 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
 {
+    BIO               *rbio, *wbio;
     ngx_connection_t  *c;
 
     if (where & SSL_CB_HANDSHAKE_START) {
@@ -531,6 +532,31 @@ ngx_ssl_info_callback(const ngx_ssl_conn
             ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
         }
     }
+
+    if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
+        c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+
+        if (!c->ssl->handshake_buffer_set) {
+            /*
+             * By default OpenSSL uses 4k buffer during a handshake,
+             * which is too low for long certificate chains and might
+             * result in extra round-trips.
+             *
+             * To adjust a buffer size we detect that buffering was added
+             * to write side of the connection by comparing rbio and wbio.
+             * If they are different, we assume that it's due to buffering
+             * added to wbio, and set buffer size.
+             */
+
+            rbio = SSL_get_rbio(ssl_conn);
+            wbio = SSL_get_wbio(ssl_conn);
+
+            if (rbio != wbio) {
+                (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
+                c->ssl->handshake_buffer_set = 1;
+            }
+        }
+    }
 }
 
 
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -48,6 +48,7 @@ typedef struct {
     unsigned                    buffer:1;
     unsigned                    no_wait_shutdown:1;
     unsigned                    no_send_shutdown:1;
+    unsigned                    handshake_buffer_set:1;
 } ngx_ssl_connection_t;

More information about the nginx-devel mailing list