On Mon, 24 Sep 2007 02:32:13 pm Mr Allwyn Fernandes wrote:
> Everything seems to work, so far; I've not tested it extensively, but plain
> files and cgi scripts both appear to work as expected. Most things produce
> sensible error messages, but again, I haven't tested all possibilities.
Just a quick note for anyone testing this patch; the USE_SSL_GNUTLS option is
currently mutually incompatible with LINUX_SENDFILE (and probably
FREEBSD_SENDFILE, although I can't test that...)
I have located the bug, and am working on a fix, if you are testing GnuTLS
functionality in the current patch, please build without *_SENDFILE for the
moment.
For the record, *_SENDFILE still works after applying the patch, if
USE_SSL_GNUTLS is disabled. (If you find that this is not working, please let
me know - my testing of LINUX_SENDFILE indicates that it is working.)
Cheers,
Allwyn.
PS: For those who are interested in the technical reason: sendfile() works
using the socket file descriptor directly in kernelspace, but the GnuTLS
encryption happens in userspace. What ends up happening is that sendfile()
sends the unencrypted data after the TLS handshake has occured, which clients
(browsers) see as invalid data and drop the connection. The solution is:
if (connection is not using TLS)
use sendfile()
else
use normal IO.
This is not specifically a GnuTLS limitation, either; most SSL toolkits,
including OpenSSL, work entirely in userspace. This is good because then
a) the toolkits can be upgraded without recompiling the kernel, and
b) the toolkits are portable across different operating systems,
but imposes the limitation that in-kernel optimisations like sendfile() cannot
be used.
--
Allwyn Fernandes
Director
Stobor Pty Ltd
Mobile: + 61 430 436 758
LinkedIn: http://www.linkedin.com/in/AllwynFernandes
