Browse code

tls: config option for sending close notify alerts

Added a new config option for enabling or disabling the sending of
close notify alerts prior to closing the corresponding tcp
connection. Sending the close notify prior to tcp shutdown is
nicer from a TLS point of view, but it has a measurable
performance impact and it's not a must (3-4% when using 50% cpu,
with a debug build and 300cps => 6-8% from the cpu is spent on
close notify alerts).
By default it's off (change from older versions where it was
hardwired-on).
It can be changed via modparam (
e.g. modparam("tls", "send_close_notify", 1) )
or at runtime
(e.g. sercmd cfg.set_now_int tls send_close_notify 1 ).

Andrei Pelinescu-Onciul authored on 16/06/2010 16:26:51
Showing 4 changed files
... ...
@@ -61,7 +61,8 @@ struct cfg_group_tls default_tls_cfg = {
61 61
 	-1, /* low_mem_threshold2 */
62 62
 	10*1024*1024, /* ct_wq_max: 10 Mb by default */
63 63
 	64*1024, /* con_ct_wq_max: 64Kb by default */
64
-	4096 /* ct_wq_blk_size */
64
+	4096, /* ct_wq_blk_size */
65
+	0 /* send_close_notify (off by default)*/
65 66
 };
66 67
 
67 68
 void* tls_cfg = &default_tls_cfg;
... ...
@@ -191,6 +192,10 @@ cfg_def_t	tls_cfg_def[] = {
191 192
 	{"ct_wq_blk_size", CFG_VAR_INT | CFG_ATOMIC, 1, 65536, 0, 0,
192 193
 		"internal TLS pre-write (clear-text) queue minimum block size"
193 194
 		" (advanced tunning or debugging for now)"},
195
+	{"send_close_notify", CFG_VAR_INT | CFG_ATOMIC, 0, 1, 0, 0,
196
+		"enable/disable sending a close notify TLS shutdown alert"
197
+			" before closing the corresponding TCP connection."
198
+			"Note that having it enabled has a performance impact."},
194 199
 	{0, 0, 0, 0, 0, 0}
195 200
 };
196 201
 
... ...
@@ -90,6 +90,8 @@ struct cfg_group_tls {
90 90
 	int ct_wq_max; /* maximum overall tls write clear text queued bytes */
91 91
 	int con_ct_wq_max; /* maximum clear text write queued bytes per con */
92 92
 	int ct_wq_blk_size; /* minimum block size for the clear text write queue */
93
+	int send_close_notify; /* if set try to be nice and send a shutdown alert
94
+						    before closing the tcp connection */
93 95
 };
94 96
 
95 97
 
... ...
@@ -205,6 +205,7 @@ static param_export_t params[] = {
205 205
 	{"ssl_max_send_fragment", PARAM_INT,
206 206
 									   &default_tls_cfg.ssl_max_send_fragment},
207 207
 	{"ssl_read_ahead",        PARAM_INT,    &default_tls_cfg.ssl_read_ahead},
208
+	{"send_close_notify",   PARAM_INT,    &default_tls_cfg.send_close_notify},
208 209
 	{"tls_force_run",       PARAM_INT,    &default_tls_cfg.force_run},
209 210
 	{"low_mem_threshold1",  PARAM_INT,    &default_tls_cfg.low_mem_threshold1},
210 211
 	{"low_mem_threshold2",  PARAM_INT,    &default_tls_cfg.low_mem_threshold2},
... ...
@@ -502,7 +502,7 @@ void tls_h_close(struct tcp_connection *c, int fd)
502 502
 	 * still be in a writer, so in this case locking is needed.
503 503
 	 */
504 504
 	DBG("Closing SSL connection %p\n", c->extra_data);
505
-	if (likely(c->extra_data)) {
505
+	if (unlikely(cfg_get(tls, tls_cfg, send_close_notify) && c->extra_data)) {
506 506
 		lock_get(&c->write_lock);
507 507
 			if (unlikely(c->extra_data == 0)) {
508 508
 				/* changed in the meanwhile */