Hi Ilya,
Ah, interesting. Doing a bit more digging on this end, I see
"SSL_set_max_send_fragment", albeit that's from back in 2005. Is that
what you guys are looking at?
https://github.com/openssl/openssl/commit/566dda07ba16f9d3b9774fd5c8d526d7cc93f179
Yes, that's it! it appears in openssl 1.0.0.
For the long certificate chains optim, you will find a patch in
attachment, greatly inspired from nginx. Could you test it?
Regards,
Emeric
ig
>From 603b40b41f152b57fffc18e9cf8332d24053a2f5 Mon Sep 17 00:00:00 2001
From: Emeric Brun <[email protected]>
Date: Tue, 28 Jan 2014 15:43:53 +0100
Subject: [PATCH] MINOR: ssl: handshake optimz for long certificate chains.
Greatly inspired from Nginx code: we try to dynamicaly
rise the output buffer size from 4k to 16k during handshake.
---
src/ssl_sock.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 31f0939..765a5d6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -75,6 +75,7 @@
#include <proto/task.h>
#define SSL_SOCK_ST_FL_VERIFY_DONE 0x00000001
+#define SSL_SOCK_ST_FL_16K_WBFSIZE 0x00000002
/* bits 0xFFFF0000 are reserved to store verify errors */
/* Verify errors macros */
@@ -92,6 +93,7 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
{
struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
(void)ret; /* shut gcc stupid warning */
+ BIO *write_bio;
if (where & SSL_CB_HANDSHAKE_START) {
/* Disable renegotiation (CVE-2009-3555) */
@@ -100,6 +102,21 @@ void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
conn->err_code = CO_ER_SSL_RENEG;
}
}
+
+ if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
+ if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
+ /* Long certificate chains optimz
+ If write and read bios are differents, we
+ consider that the buffering was activated,
+ so we rise the output buffer size from 4k
+ to 16k */
+ write_bio = SSL_get_wbio(ssl);
+ if (write_bio != SSL_get_rbio(ssl)) {
+ BIO_set_write_buffer_size(write_bio, 16384);
+ conn->xprt_st |= SSL_SOCK_ST_FL_16K_WBFSIZE;
+ }
+ }
+ }
}
/* Callback is called for each certificate of the chain during a verify
--
1.7.9.5