Module: sip-router Branch: andrei/tcp_tls_changes Commit: 6ecd49834d6f683188484f96d46874b48274dd8c URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6ecd4983...
Author: Andrei Pelinescu-Onciul andrei@iptel.org Committer: Andrei Pelinescu-Onciul andrei@iptel.org Date: Fri Jul 16 15:52:13 2010 +0200
tls: change read_ahead, buffers and freelist defaults
- disable ssl_read_ahead by default. It is not needed anymore since now we have our own memory-like BIO, which buffers the socket I/O. While in the normal direct socket access case it's an important speed-up, in our case it would consume more memory and introduce a minor slow-down (extra memcpy). - if the openssl version supports it (>= 1.0.0) default to ssl_release_buffers = 1 (which instructs openssl to free the buffers as soon as possible) and ssl_freelist_max = 0 (don't keep free buffers around). This should decrease openssl memory consumption with no other impact (since we buffer everything in our custom BIO anyway).
---
modules/tls/tls_cfg.c | 21 ++++++++++++++++----- modules/tls/tls_domain.c | 2 +- 2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/modules/tls/tls_cfg.c b/modules/tls/tls_cfg.c index 8f1cff9..88b9b0f 100644 --- a/modules/tls/tls_cfg.c +++ b/modules/tls/tls_cfg.c @@ -53,10 +53,19 @@ struct cfg_group_tls default_tls_cfg = { 3, /* log */ 600, /* con_lifetime (s)*/ 1, /* disable_compression */ - -1, /* ssl_release_buffers (use the default: off) */ - -1, /* ssl_freelist_max (use the default: 32) */ - -1, /* ssl_max_send_fragment (use the default: 16k)*/ - 1, /* ssl_read_ahead (set, use -1 for the openssl default value)*/ +#if OPENSSL_VERSION_NUMBER >= 0x01000000L + 1, /* ssl_release_buffers (on, avoid extra buffering) */ +#else + -1, /* ssl_release_buffers: old openssl, leave it untouched */ +#endif /* openssl >= 1.0.0 */ +#if OPENSSL_VERSION_NUMBER >= 0x01000000L && ! defined OPENSSL_NO_BUF_FREELISTS + 0, /* ssl_freelist_max (immediately free) */ +#else + -1, /* ssl_freelist_max: old openssl, leave it untouched */ +#endif /* openssl >= 1.0.0 */ + -1, /* ssl_max_send_fragment (use the default: 16k), requires openssl + > 0.9.9 */ + 0, /* ssl_read_ahead (off, not needed, we have our own buffering BIO)*/ -1, /* low_mem_threshold1 */ -1, /* low_mem_threshold2 */ 10*1024*1024, /* ct_wq_max: 10 Mb by default */ @@ -172,7 +181,9 @@ cfg_def_t tls_cfg_def[] = { " Works only for OpenSSL >= 0.9.9"}, {"ssl_read_ahead", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0, "Enables read ahead, reducing the number of BIO read calls done" - " internally by the OpenSSL library" }, + " internally by the OpenSSL library. Note that in newer tls" + " module versions it is better to have read ahead disabled, since" + " everything it is buffered in memory anyway"}, {"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0, "sets the minimum amount of free memory for accepting new TLS" " connections (KB)"}, diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c index 97dc942..34fc23a 100644 --- a/modules/tls/tls_domain.c +++ b/modules/tls/tls_domain.c @@ -828,7 +828,7 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults, #endif #endif #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L - if (ssl_freelist_max_len != 0) + if (ssl_freelist_max_len >= 0) ERR("cannot change openssl freelist_max_len, openssl too old" "(needed at least 1.0.0) or compiled without freelist support" " (OPENSSL_NO_BUF_FREELIST)\n");