[PATCH] Enable SSL_OP_PRIORITIZE_CHACHA for server-side SSL contexts
Maxim Dounin
mdounin at mdounin.ru
Sat May 4 00:37:51 UTC 2019
Hello!
On Sat, May 04, 2019 at 02:07:44AM +0200, Pascal Ernster wrote:
> # HG changeset patch
> # User Pascal Ernster <nginx-devel at hardfalcon.net>
> # Date 1556927912 -7200
> # Sat May 04 01:58:32 2019 +0200
> # Node ID 9560af6ada8f395a3b01c66e6846fa7ebd41729d
> # Parent 16a1adadf43751f59257ba419f6bacd530dd19d3
> Enable SSL_OP_PRIORITIZE_CHACHA for server-side SSL contexts.
>
> Available since OpenSSL 1.1.1, this prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list, indicating that the client does not have hardware acceleration for AES. The result is much better performance on devices like low-end Android smartphones or embedded hardware running OpenWRT.
>
> diff -r 16a1adadf437 -r 9560af6ada8f src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Apr 24 16:38:56 2019 +0300
> +++ b/src/event/ngx_event_openssl.c Sat May 04 01:58:32 2019 +0200
> @@ -380,6 +380,10 @@
> SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
> #endif
>
> +#ifdef SSL_OP_PRIORITIZE_CHACHA
> + SSL_CTX_set_options(ssl->ctx, SSL_OP_PRIORITIZE_CHACHA);
> +#endif
> +
> SSL_CTX_set_read_ahead(ssl->ctx, 1);
>
> SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
Thank you for the patch.
See comments here:
https://trac.nginx.org/nginx/ticket/1445
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list