[PATCH] SSL: mark connections as non-reusable before SSL handshake
Piotr Sikora
piotr at cloudflare.com
Mon Jun 22 21:33:31 UTC 2015
Hey Maxim,
> As far as I understand, this change isn't useable with an
> unmodified nginx
It is, since nginx modules are free to install those SSL callbacks
(for example: ngx_lua's ssl_certificate_by_lua).
> (and introduces some minor pessimization in an
> unlikely case when first ngx_ssl_handshake() will not return
> NGX_AGAIN).
Since SSL/TLS handshake requires at least 1 RTT (even in case of
session resumption), the only case in which ngx_ssl_handshake()
wouldn't return NGX_AGAIN is when the handshake failed based on
ClientHello (no shared ciphers, inappropriate fallback, etc.), in
which case the connection will be closed and
ngx_reusable_connection(c, 0) will be called from
ngx_close_connection() anyway.
Calling ngx_reusable_connection(c, 0) twice is basically a no-op, so I
don't really consider this a pessimization.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list