[sr-dev] git:master: tls: new parameters for advanced openssl options

Andrei Pelinescu-Onciul andrei at iptel.org
Fri Mar 19 15:31:04 CET 2010


Module: sip-router
Branch: master
Commit: 0c5b835259ab27216a9f34ddf445a49604a6c70c
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0c5b835259ab27216a9f34ddf445a49604a6c70c

Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date:   Fri Mar 19 15:11:49 2010 +0100

tls: new parameters for advanced openssl options

- ssl_release_buffers: release internal openssl read or write
  buffers when they are no longer used (complete read or write that
  does not have to buffer anything).
  Should be used together with tls_free_list_max_len. Might have
  some performance impact (and extra *malloc pressure), but has
  also the potential of saving a lot of memory (at least 32k/idle
  connection in the default config, or ~16k+tls_max_send_fragment)).
  Works only with openssl >= 1.0.0.

- ssl_freelist_max_len: maximum length of free/unused memory
  buffers/chunks per connection. Setting it to 0 would cause any
  unused buffers to be immediately freed and hence a lower memory
  footprint (at the cost of a possible performance hit and more
  *malloc pressure). Too large value would result in extra memory
  consumption. The default is 32 in openssl.
  For lowest memory usage set it to 0 and tls_mode_release_buffers
  to 1.
  Works / makes sense only for openssl >= 1.0.0.

- ssl_max_send_fragment: maximum number of bytes (clear text) sent
  into one record. The default and maximum value are ~16k. Lower
  values would lead to a lower memory footprint. Values lower then
  the typical  app. write size might decrease performance, so
   it should be kept ~2k+ for normal SIP traffic.
  Too low values (e.g. <1024) might cause the initial handshake
  to fail, so use with care.
  Works only for openssl >= 0.9.9.

- ssl_read_ahead: enable read ahead. Should increase performance
  (1 less syscall when enabled, else openssl makes 1 read() for
  each record header and another or the content), but might
  interact with SSL_pending() (not used right now).
  Default: 1 (enabled).

---

 modules/tls/tls_domain.c |  244 ++++++++++++++++++++++++++++++++++++++++++++-
 modules/tls/tls_mod.c    |   49 ++++++++--
 modules/tls/tls_mod.h    |   13 ++-
 3 files changed, 288 insertions(+), 18 deletions(-)

Diff:   http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commitdiff;h=0c5b835259ab27216a9f34ddf445a49604a6c70c



More information about the sr-dev mailing list