On Wed, Oct 07, 2015 at 01:35:38AM +0200, Yann Ylavic wrote: > For the server case, openssl will use its own buffering mechanism > during the handshake "so that the output is sent in a way that TCP > likes", according to the comment in the code, so we shouldn't be > flushing small chunks. > Yet for the server case still, openssl will issue its own flush > appropriately, so we may introduce a spurious flush by doing this > (something I didn't think about).
That's really interesting. That extra buffering BIO makes sense if OpenSSL is writing to the socket descriptor directly, as with pre-2.x mod_ssl, but doesn't really make sense with 2.x mod_ssl, since the core output filter is doing that work in the "right" place. I guess it doesn't impact performance much because it's handshake-time only as you say, but still, it would be interesting to try ripping that out. > Thus I agree that Joe's proposal is better: SSL_in_connect_init() but > for the buggy case (openssl < 0.9.8m) where we need the generic > SSL_is_init_finished(). > Will commit this, thanks for the feedbacks. As ever, looks great Yann, thanks a lot. Regards, Joe
