Hello! On Mon, May 06, 2019 at 06:02:10AM +0000, Ben Ben Ishay wrote:
[...] > > - The SSL_sendfile() call you are using in this version does not > > seem to exists in any published version of OpenSSL, including > > github repo. This is not going to work. > > > we attach a documentation link about this > function(https://github.com/Mellanox/openssl/blob/tls_sendfile/doc/man3/SSL_write.pod), > > we have a pull request at advanced stage for adding this function. > > > - The approach you are using - that is, introducing changes into > > ngx_linux_sendfile_chain.c - is not portable, and is not going > > to work on other platforms if/when appropriate kernel level and > > OpenSSL level support will be available. As suggested in the > > previous thread, this should be something handled at the > > ngx_event_openssl.c level. > > > we think that this is the best solution because there is a unique > function for every OS and there is a difference between them for > example ngx_linux_sendfile_chain use TCP_CORK option while > ngx_freebsd_sendfile_chain dosent(in addition in solaris function > ngx_solaris_sendfilev_chain there is a call to sendfilev that dosent > exists in linux) , we can create a function that is constructed from the > diffrenet flow for OS's but we think this option include copying code > and thus the best option is to change the sendfile call in every > ngx_sendfile function when the OS and OPENSSL will support SSL_Sendfile. While handling of the sendfile() syscall is certainly OS-specific, the SSL_sendfile() interface as provided by OpenSSL is certainly not going to follow these OS-specific code paths. For example, I cannot reasonably assume SSL_sendfile() will support headers and trailers on FreeBSD, or will be similar to sendfilev() interface on Solaris. That is, SSL_sendfile() is going to be a separate interface, different from all the OS-specific interfaces, with its own features and limitations. And most likely it will need different error handling, including handling of SSL-specific errors. As such, trying to change OS-specific sendfile chains in nginx looks wrong to me. Not to mention it will require additional application-level work upon introduction of in-kernel SSL/TLS in other OSes. Rather, it should be an SSL-level changes, introducing an SSL-level send chain, similar to one we already provide for SSL_write(). (Note well that using BIO_get_ktls_send() to find out if SSL_sendfile() can be used or not also looks strange and non-portable. If the route taken is to provide SSL_sendfile(), an OS-independent interface to use sendfile() when supported by the OpenSSL library, there should be a simplier / more portable way to test if SSL_sendfile() can be used on a particular SSL connection.) -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
