Browse code

tls: change read_ahead, buffers and freelist defaults

- disable ssl_read_ahead by default. It is not needed anymore
since now we have our own memory-like BIO, which buffers the
socket I/O. While in the normal direct socket access case it's
an important speed-up, in our case it would consume more memory
and introduce a minor slow-down (extra memcpy).
- if the openssl version supports it (>= 1.0.0) default to
ssl_release_buffers = 1 (which instructs openssl to free the
buffers as soon as possible) and ssl_freelist_max = 0 (don't
keep free buffers around). This should decrease openssl memory
consumption with no other impact (since we buffer everything in
our custom BIO anyway).

Andrei Pelinescu-Onciul authored on 16/07/2010 13:52:13
Showing 2 changed files
... ...
@@ -53,10 +53,19 @@ struct cfg_group_tls default_tls_cfg = {
53 53
 	3, /* log */
54 54
 	600, /* con_lifetime (s)*/
55 55
 	1, /* disable_compression */
56
-	-1, /* ssl_release_buffers (use the default: off) */
57
-	-1, /* ssl_freelist_max  (use the default: 32) */
58
-	-1, /* ssl_max_send_fragment (use the default: 16k)*/
59
-	1, /* ssl_read_ahead (set, use -1 for the openssl default value)*/
56
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L
57
+	1, /* ssl_release_buffers (on, avoid extra buffering) */
58
+#else
59
+	-1, /* ssl_release_buffers: old openssl, leave it untouched */
60
+#endif /* openssl >= 1.0.0 */
61
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L && ! defined OPENSSL_NO_BUF_FREELISTS
62
+	0, /* ssl_freelist_max  (immediately free) */
63
+#else
64
+	-1, /* ssl_freelist_max: old openssl, leave it untouched */
65
+#endif /* openssl >= 1.0.0 */
66
+	-1, /* ssl_max_send_fragment (use the default: 16k), requires openssl
67
+		   > 0.9.9 */
68
+	0, /* ssl_read_ahead (off, not needed, we have our own buffering BIO)*/
60 69
 	-1, /* low_mem_threshold1 */
61 70
 	-1, /* low_mem_threshold2 */
62 71
 	10*1024*1024, /* ct_wq_max: 10 Mb by default */
... ...
@@ -172,7 +181,9 @@ cfg_def_t	tls_cfg_def[] = {
172 181
 		" Works only for OpenSSL >= 0.9.9"},
173 182
 	{"ssl_read_ahead", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
174 183
 		"Enables read ahead, reducing the number of BIO read calls done"
175
-		" internally by the OpenSSL library" },
184
+		" internally by the OpenSSL library. Note that in newer tls"
185
+	    " module versions it is better to have read ahead disabled, since"
186
+		" everything it is buffered in memory anyway"},
176 187
 	{"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
177 188
 		"sets the minimum amount of free memory for accepting new TLS"
178 189
 		" connections (KB)"},
... ...
@@ -828,7 +828,7 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
828 828
 #endif
829 829
 #endif
830 830
 #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L
831
-	if (ssl_freelist_max_len != 0)
831
+	if (ssl_freelist_max_len >= 0)
832 832
 		ERR("cannot change openssl freelist_max_len, openssl too old"
833 833
 				"(needed at least 1.0.0) or compiled without freelist support"
834 834
 				" (OPENSSL_NO_BUF_FREELIST)\n");