maskit commented on code in PR #13202:
URL: https://github.com/apache/trafficserver/pull/13202#discussion_r3352305713
##########
src/iocore/net/SSLNetVConnection.cc:
##########
@@ -123,11 +123,26 @@ SSLNetVConnection::_make_ssl_connection(SSL_CTX *ctx)
SSL_set_bio(ssl, bio, bio);
} else {
- this->initialize_handshake_buffers();
- BIO *rbio = BIO_new(BIO_s_mem());
- BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
- BIO_set_mem_eof_return(wbio, -1);
- SSL_set_bio(ssl, rbio, wbio);
+ if (this->transparentPassThrough || this->allowPlain) {
+ // Blind-tunnel possible: keep handshake buffers to capture/replay the
CLIENT_HELLO.
+ this->initialize_handshake_buffers();
+ BIO *rbio = BIO_new(BIO_s_mem());
+ BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
+ BIO_set_mem_eof_return(wbio, -1);
+ SSL_set_bio(ssl, rbio, wbio);
+ } else {
+ // No blind-tunnel: direct socket BIO, skip handshake buffers. On
OpenSSL a
+ // write-side buffer BIO coalesces TLS records into fewer write()
syscalls;
+ // BoringSSL has no filter BIOs, so it uses the plain socket BIO.
+ BIO *rbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
+ BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
+#if !defined(OPENSSL_IS_BORINGSSL)
Review Comment:
Not a blocker but I'd gate it by the availability of `BIO_f_buffer`. This
would cause a build error if ATS is built with AWS-LC.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
