[sr-dev] git:andrei/tcp_tls_changes: tls: config option for sending close notify alerts
Andrei Pelinescu-Onciul
andrei at iptel.org
Wed Jun 16 18:44:59 CEST 2010
Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: dabd96ab1a8aaa6c90bfddcd8ae4dec79964ea2f
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dabd96ab1a8aaa6c90bfddcd8ae4dec79964ea2f
Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date: Wed Jun 16 18:26:51 2010 +0200
tls: config option for sending close notify alerts
Added a new config option for enabling or disabling the sending of
close notify alerts prior to closing the corresponding tcp
connection. Sending the close notify prior to tcp shutdown is
nicer from a TLS point of view, but it has a measurable
performance impact and it's not a must (3-4% when using 50% cpu,
with a debug build and 300cps => 6-8% from the cpu is spent on
close notify alerts).
By default it's off (change from older versions where it was
hardwired-on).
It can be changed via modparam (
e.g. modparam("tls", "send_close_notify", 1) )
or at runtime
(e.g. sercmd cfg.set_now_int tls send_close_notify 1 ).
---
modules/tls/tls_cfg.c | 7 ++++++-
modules/tls/tls_cfg.h | 2 ++
modules/tls/tls_mod.c | 1 +
modules/tls/tls_server.c | 2 +-
4 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/modules/tls/tls_cfg.c b/modules/tls/tls_cfg.c
index b255626..8f1cff9 100644
--- a/modules/tls/tls_cfg.c
+++ b/modules/tls/tls_cfg.c
@@ -61,7 +61,8 @@ struct cfg_group_tls default_tls_cfg = {
-1, /* low_mem_threshold2 */
10*1024*1024, /* ct_wq_max: 10 Mb by default */
64*1024, /* con_ct_wq_max: 64Kb by default */
- 4096 /* ct_wq_blk_size */
+ 4096, /* ct_wq_blk_size */
+ 0 /* send_close_notify (off by default)*/
};
void* tls_cfg = &default_tls_cfg;
@@ -191,6 +192,10 @@ cfg_def_t tls_cfg_def[] = {
{"ct_wq_blk_size", CFG_VAR_INT | CFG_ATOMIC, 1, 65536, 0, 0,
"internal TLS pre-write (clear-text) queue minimum block size"
" (advanced tunning or debugging for now)"},
+ {"send_close_notify", CFG_VAR_INT | CFG_ATOMIC, 0, 1, 0, 0,
+ "enable/disable sending a close notify TLS shutdown alert"
+ " before closing the corresponding TCP connection."
+ "Note that having it enabled has a performance impact."},
{0, 0, 0, 0, 0, 0}
};
diff --git a/modules/tls/tls_cfg.h b/modules/tls/tls_cfg.h
index 41e149c..eea7292 100644
--- a/modules/tls/tls_cfg.h
+++ b/modules/tls/tls_cfg.h
@@ -90,6 +90,8 @@ struct cfg_group_tls {
int ct_wq_max; /* maximum overall tls write clear text queued bytes */
int con_ct_wq_max; /* maximum clear text write queued bytes per con */
int ct_wq_blk_size; /* minimum block size for the clear text write queue */
+ int send_close_notify; /* if set try to be nice and send a shutdown alert
+ before closing the tcp connection */
};
diff --git a/modules/tls/tls_mod.c b/modules/tls/tls_mod.c
index de12b5b..49c4ec3 100644
--- a/modules/tls/tls_mod.c
+++ b/modules/tls/tls_mod.c
@@ -205,6 +205,7 @@ static param_export_t params[] = {
{"ssl_max_send_fragment", PARAM_INT,
&default_tls_cfg.ssl_max_send_fragment},
{"ssl_read_ahead", PARAM_INT, &default_tls_cfg.ssl_read_ahead},
+ {"send_close_notify", PARAM_INT, &default_tls_cfg.send_close_notify},
{"tls_force_run", PARAM_INT, &default_tls_cfg.force_run},
{"low_mem_threshold1", PARAM_INT, &default_tls_cfg.low_mem_threshold1},
{"low_mem_threshold2", PARAM_INT, &default_tls_cfg.low_mem_threshold2},
diff --git a/modules/tls/tls_server.c b/modules/tls/tls_server.c
index c99e6b3..be661de 100644
--- a/modules/tls/tls_server.c
+++ b/modules/tls/tls_server.c
@@ -502,7 +502,7 @@ void tls_h_close(struct tcp_connection *c, int fd)
* still be in a writer, so in this case locking is needed.
*/
DBG("Closing SSL connection %p\n", c->extra_data);
- if (likely(c->extra_data)) {
+ if (unlikely(cfg_get(tls, tls_cfg, send_close_notify) && c->extra_data)) {
lock_get(&c->write_lock);
if (unlikely(c->extra_data == 0)) {
/* changed in the meanwhile */
More information about the sr-dev
mailing list