maskit commented on code in PR #13202:
URL: https://github.com/apache/trafficserver/pull/13202#discussion_r3343233840
##########
src/iocore/net/TLSBasicSupport.cc:
##########
@@ -52,6 +52,9 @@ TLSBasicSupport::initialize()
TLSBasicSupport *
TLSBasicSupport::getInstance(SSL *ssl)
{
+ if (auto *exd = SSLExDataGet(ssl)) {
+ return exd->basic;
+ }
return static_cast<TLSBasicSupport *>(SSL_get_ex_data(ssl, _ex_data_index));
Review Comment:
Why do we need this fallback?
##########
src/iocore/net/SSLNetVConnection.cc:
##########
@@ -111,47 +111,53 @@ SSLNetVConnection::_make_ssl_connection(SSL_CTX *ctx)
this->options.f_tcp_fastopen ?
this->get_remote_addr() : static_cast<const sockaddr *>(nullptr));
SSL_set_bio(ssl, bio, bio);
- } else {
+ } else if (this->transparentPassThrough || this->allowPlain) {
+ // Need handshake buffers to capture CLIENT_HELLO for potential
blind-tunnel replay
this->initialize_handshake_buffers();
BIO *rbio = BIO_new(BIO_s_mem());
BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
BIO_set_mem_eof_return(wbio, -1);
SSL_set_bio(ssl, rbio, wbio);
+ } else {
+ // No blind-tunnel possible: use direct socket BIO, skip handshake
buffers.
+ // Buffer BIO on write side coalesces TLS records into fewer write()
syscalls.
+ BIO *rbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
+ BIO *sock_wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
+ BIO *buf_wbio = BIO_new(BIO_f_buffer());
+ BIO_set_write_buffer_size(buf_wbio, 65536);
+ BIO *wbio = BIO_push(buf_wbio, sock_wbio);
+ SSL_set_bio(ssl, rbio, wbio);
+ }
#if TS_HAS_TLS_EARLY_DATA
+ if (this->get_context() != NET_VCONNECTION_OUT) {
update_early_data_config(ssl, SSLConfigParams::server_max_early_data,
SSLConfigParams::server_recv_max_early_data);
-#endif
}
+#endif
this->_bindSSLObject();
}
}
void
SSLNetVConnection::_bindSSLObject()
{
- SSLNetVCAttach(this->ssl, this);
- TLSBasicSupport::bind(this->ssl, this);
+ this->_ssl_ex_data.vc = this;
+ this->_ssl_ex_data.basic = static_cast<TLSBasicSupport *>(this);
+ this->_ssl_ex_data.event = static_cast<TLSEventSupport *>(this);
+ this->_ssl_ex_data.alpn = static_cast<ALPNSupport *>(this);
+ this->_ssl_ex_data.resumption = static_cast<TLSSessionResumptionSupport
*>(this);
+ this->_ssl_ex_data.sni = static_cast<TLSSNISupport *>(this);
+ this->_ssl_ex_data.early_data = static_cast<TLSEarlyDataSupport *>(this);
+ this->_ssl_ex_data.tunnel = static_cast<TLSTunnelSupport *>(this);
+ this->_ssl_ex_data.cert_switch = static_cast<TLSCertSwitchSupport *>(this);
+ SSLNetVCAttach(this->ssl, &this->_ssl_ex_data);
TLSEventSupport::bind(this->ssl, this);
Review Comment:
Why do we need to keep this one?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
