Re: optimizing TLS time to first byte

Tue, 28 Jan 2014 07:06:17 -0800 


Hi Ilya,




Ah, interesting. Doing a bit more digging on this end, I see
"SSL_set_max_send_fragment", albeit that's from back in 2005. Is that
what you guys are looking at?
https://github.com/openssl/openssl/commit/566dda07ba16f9d3b9774fd5c8d526d7cc93f179


Yes, that's it! it appears in openssl 1.0.0.
For the long certificate chains optim, you will find a patch in attachment, greatly inspired from nginx. Could you test it? 

Regards,
Emeric



ig




>From 603b40b41f152b57fffc18e9cf8332d24053a2f5 Mon Sep 17 00:00:00 2001
From: Emeric Brun <[email protected]>
Date: Tue, 28 Jan 2014 15:43:53 +0100
Subject: [PATCH] MINOR: ssl: handshake optimz for long certificate chains.

Greatly inspired from Nginx code: we try to dynamicaly
rise the output buffer size from 4k to 16k during handshake.
---
 src/ssl_sock.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 31f0939..765a5d6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -75,6 +75,7 @@
 #include <proto/task.h>
 
 #define SSL_SOCK_ST_FL_VERIFY_DONE  0x00000001
+#define SSL_SOCK_ST_FL_16K_WBFSIZE  0x00000002
 /* bits 0xFFFF0000 are reserved to store verify errors */
 
 /* Verify errors macros */
@@ -92,6 +93,7 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
 {
 	struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
 	(void)ret; /* shut gcc stupid warning */
+	BIO *write_bio;
 
 	if (where & SSL_CB_HANDSHAKE_START) {
 		/* Disable renegotiation (CVE-2009-3555) */
@@ -100,6 +102,21 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
 			conn->err_code = CO_ER_SSL_RENEG;
 		}
 	}
+
+	if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
+		if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
+			/* Long certificate chains optimz
+			   If write and read bios are differents, we
+			   consider that the buffering was activated,
+                           so we rise the output buffer size from 4k
+			   to 16k */
+			write_bio = SSL_get_wbio(ssl);
+			if (write_bio != SSL_get_rbio(ssl)) {
+				BIO_set_write_buffer_size(write_bio, 16384);
+				conn->xprt_st |= SSL_SOCK_ST_FL_16K_WBFSIZE;
+			}
+		}
+	}
 }
 
 /* Callback is called for each certificate of the chain during a verify
-- 
1.7.9.5

Reply via email to