[sr-dev] git:andrei/tcp_tls_changes: tls: change read_ahead, buffers and freelist defaults
Andrei Pelinescu-Onciul
andrei at iptel.org
Fri Jul 16 16:06:41 CEST 2010
Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: 6ecd49834d6f683188484f96d46874b48274dd8c
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6ecd49834d6f683188484f96d46874b48274dd8c
Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date: Fri Jul 16 15:52:13 2010 +0200
tls: change read_ahead, buffers and freelist defaults
- disable ssl_read_ahead by default. It is not needed anymore
since now we have our own memory-like BIO, which buffers the
socket I/O. While in the normal direct socket access case it's
an important speed-up, in our case it would consume more memory
and introduce a minor slow-down (extra memcpy).
- if the openssl version supports it (>= 1.0.0) default to
ssl_release_buffers = 1 (which instructs openssl to free the
buffers as soon as possible) and ssl_freelist_max = 0 (don't
keep free buffers around). This should decrease openssl memory
consumption with no other impact (since we buffer everything in
our custom BIO anyway).
---
modules/tls/tls_cfg.c | 21 ++++++++++++++++-----
modules/tls/tls_domain.c | 2 +-
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/modules/tls/tls_cfg.c b/modules/tls/tls_cfg.c
index 8f1cff9..88b9b0f 100644
--- a/modules/tls/tls_cfg.c
+++ b/modules/tls/tls_cfg.c
@@ -53,10 +53,19 @@ struct cfg_group_tls default_tls_cfg = {
3, /* log */
600, /* con_lifetime (s)*/
1, /* disable_compression */
- -1, /* ssl_release_buffers (use the default: off) */
- -1, /* ssl_freelist_max (use the default: 32) */
- -1, /* ssl_max_send_fragment (use the default: 16k)*/
- 1, /* ssl_read_ahead (set, use -1 for the openssl default value)*/
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L
+ 1, /* ssl_release_buffers (on, avoid extra buffering) */
+#else
+ -1, /* ssl_release_buffers: old openssl, leave it untouched */
+#endif /* openssl >= 1.0.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L && ! defined OPENSSL_NO_BUF_FREELISTS
+ 0, /* ssl_freelist_max (immediately free) */
+#else
+ -1, /* ssl_freelist_max: old openssl, leave it untouched */
+#endif /* openssl >= 1.0.0 */
+ -1, /* ssl_max_send_fragment (use the default: 16k), requires openssl
+ > 0.9.9 */
+ 0, /* ssl_read_ahead (off, not needed, we have our own buffering BIO)*/
-1, /* low_mem_threshold1 */
-1, /* low_mem_threshold2 */
10*1024*1024, /* ct_wq_max: 10 Mb by default */
@@ -172,7 +181,9 @@ cfg_def_t tls_cfg_def[] = {
" Works only for OpenSSL >= 0.9.9"},
{"ssl_read_ahead", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
"Enables read ahead, reducing the number of BIO read calls done"
- " internally by the OpenSSL library" },
+ " internally by the OpenSSL library. Note that in newer tls"
+ " module versions it is better to have read ahead disabled, since"
+ " everything it is buffered in memory anyway"},
{"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
"sets the minimum amount of free memory for accepting new TLS"
" connections (KB)"},
diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
index 97dc942..34fc23a 100644
--- a/modules/tls/tls_domain.c
+++ b/modules/tls/tls_domain.c
@@ -828,7 +828,7 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
#endif
#endif
#if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L
- if (ssl_freelist_max_len != 0)
+ if (ssl_freelist_max_len >= 0)
ERR("cannot change openssl freelist_max_len, openssl too old"
"(needed at least 1.0.0) or compiled without freelist support"
" (OPENSSL_NO_BUF_FREELIST)\n");
More information about the sr-dev
mailing list