details: http://hg.nginx.org/nginx/rev/a720f0b0e083 branches: changeset: 5395:a720f0b0e083 user: Maxim Dounin <mdou...@mdounin.ru> date: Fri Sep 27 19:39:33 2013 +0400 description: SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
diffstat: src/event/ngx_event_openssl.c | 26 ++++++++++++++++++++++++++ src/event/ngx_event_openssl.h | 1 + 2 files changed, 27 insertions(+), 0 deletions(-) diffs (54 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -521,6 +521,7 @@ ngx_ssl_verify_callback(int ok, X509_STO static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) { + BIO *rbio, *wbio; ngx_connection_t *c; if (where & SSL_CB_HANDSHAKE_START) { @@ -531,6 +532,31 @@ ngx_ssl_info_callback(const ngx_ssl_conn ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); } } + + if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { + c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); + + if (!c->ssl->handshake_buffer_set) { + /* + * By default OpenSSL uses 4k buffer during a handshake, + * which is too low for long certificate chains and might + * result in extra round-trips. + * + * To adjust a buffer size we detect that buffering was added + * to write side of the connection by comparing rbio and wbio. + * If they are different, we assume that it's due to buffering + * added to wbio, and set buffer size. + */ + + rbio = SSL_get_rbio(ssl_conn); + wbio = SSL_get_wbio(ssl_conn); + + if (rbio != wbio) { + (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); + c->ssl->handshake_buffer_set = 1; + } + } + } } diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -48,6 +48,7 @@ typedef struct { unsigned buffer:1; unsigned no_wait_shutdown:1; unsigned no_send_shutdown:1; + unsigned handshake_buffer_set:1; } ngx_ssl_connection_t; _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel