Updated Branches: refs/heads/master 7264e9ce3 -> 42fc0106c
TS-2365: configure max TLS record size The client can decipher the data only once it has received a full record over SSL. The record size can have significant impact on the page load time performance of the application. No limitation on record size means that clients might have to download up to 16KB of data before starting to process them, whereas very small records incur a larger overhead due to record framing. The suggestion is to configure the TLS record size to fit into a single TCP segment, this can improve page load times on browsers located over high latency or low bandwidth networks. ref: http://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/ Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/42fc0106 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/42fc0106 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/42fc0106 Branch: refs/heads/master Commit: 42fc0106c26bb1ac5cf6bd03481f472c8c364d39 Parents: 7264e9c Author: Wei Sun <[email protected]> Authored: Tue Dec 3 09:20:55 2013 -0800 Committer: James Peach <[email protected]> Committed: Tue Dec 3 09:20:55 2013 -0800 ---------------------------------------------------------------------- CHANGES | 4 +++ .../configuration/records.config.en.rst | 8 ++++++ iocore/net/P_SSLConfig.h | 2 ++ iocore/net/SSLConfig.cc | 4 +++ iocore/net/SSLNetVConnection.cc | 28 ++++++++++++++++---- mgmt/RecordsConfig.cc | 2 ++ 6 files changed, 43 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 56ea529..7615363 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 4.2.0 + + *) [TS-2365] Configure the maximum TLS record size. + Author: Wei Sun <[email protected]> + *) [TS-2351] Bandaid fix for Range request crash related to Read-While-Writer and content length calculations. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index 53831a6..f2d901d 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -1949,6 +1949,14 @@ SSL Termination TBD +.. ts:cv:: CONFIG proxy.config.ssl.max_record_size INT 0 + + This configuration specifies the maximum number of bytes to write + into a SSL record when replying over a SSL session. In some + circumstances this setting can improve response latency by reducing + buffering at the SSL layer. The default of ``0`` means to always + write all available data into a single SSL record. + Client-Related Configuration ---------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index 039cd7f..facfb25 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -75,6 +75,8 @@ struct SSLConfigParams : public ConfigInfo int client_verify_depth; long ssl_ctx_options; + static int ssl_maxrecord; + void initialize(); void cleanup(); }; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 0a9a3b2..9c75fcc 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -41,6 +41,7 @@ int SSLConfig::configid = 0; int SSLCertificateConfig::configid = 0; +int SSLConfigParams::ssl_maxrecord = 0; static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate; @@ -184,6 +185,9 @@ SSLConfigParams::initialize() REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache"); REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size"); + // SSL record size + REC_EstablishStaticConfigInt32(ssl_maxrecord, "proxy.config.ssl.max_record_size"); + // ++++++++++++++++++++++++ Client part ++++++++++++++++++++ client_verify_depth = 7; REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server"); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index fde9117..9e477da 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -348,10 +348,22 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i // check if to amount to write exceeds that in this buffer int64_t wavail = towrite - total_wrote; - if (l > wavail) + if (l > wavail) { l = wavail; - if (!l) + } + + // TS-2365: If the SSL max record size is set and we have + // more data than that, break this into smaller write + // operations. + int64_t orig_l = l; + if (SSLConfigParams::ssl_maxrecord > 0 && l > SSLConfigParams::ssl_maxrecord) { + l = SSLConfigParams::ssl_maxrecord; + } + + if (!l) { break; + } + wattempted = l; total_wrote += l; Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, before do_SSL_write, l=%" PRId64", towrite=%" PRId64", b=%p", @@ -360,12 +372,18 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, int64_t &wattempted, i if (r == l) { wattempted = total_wrote; } - // on to the next block - offset = 0; - b = b->next; + if (l == orig_l) { + // on to the next block + offset = 0; + b = b->next; + } else { + offset += l; + } + Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written=%" PRId64" , total=%" PRId64"", r, total_wrote); NET_DEBUG_COUNT_DYN_STAT(net_calls_to_write_stat, 1); } while (r == l && total_wrote < towrite && b); + if (r > 0) { if (total_wrote != wattempted) { Debug("ssl", "SSLNetVConnection::loadBufferAndCallWrite, wrote some bytes, but not all requested."); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/42fc0106/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 9683ba0..cc4a74f 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1273,6 +1273,8 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.session_cache.size", RECD_INT, "20480", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} + , //############################################################################## //# ICP Configuration
