On 01/28/2014 03:58 PM, Emeric Brun wrote:
Hi Ilya,
Ah, interesting. Doing a bit more digging on this end, I see
"SSL_set_max_send_fragment", albeit that's from back in 2005. Is that
what you guys are looking at?
https://github.com/openssl/openssl/commit/566dda07ba16f9d3b9774fd5c8d526d7cc93f179
Yes, that's it! it appears in openssl 1.0.0.
In attachment an other patch to test SSL_set_max_send_fragment.
Regards,
Emeric
>From d7d52f8e0532ea7a0538ea11ec7ecb95cd2fb4fa Mon Sep 17 00:00:00 2001
From: Emeric Brun <eb...@exceliance.fr>
Date: Tue, 28 Jan 2014 16:17:49 +0100
Subject: [PATCH 2/2] MINOR: ssl: Set openssl max_send_fragment using
tune.ssm_max_record.
If max_send_fragment is not defined in linked openssl version, we
kept the older behavior (limiting the length on SSL_write operations).
---
src/ssl_sock.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 765a5d6..f09263e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -783,6 +783,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
}
}
#endif
+#ifdef SSL_CTX_set_max_send_fragment
+ if (global.tune.ssl_max_record)
+ SSL_CTX_set_max_send_fragment(ctx, global.tune.ssl_max_record);
+#endif
return cfgerr;
}
@@ -1031,6 +1035,10 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
cfgerr++;
}
+#ifdef SSL_CTX_set_max_send_fragment
+ if (global.tune.ssl_max_record)
+ SSL_CTX_set_max_send_fragment(srv->ssl_ctx.ctx, global.tune.ssl_max_record);
+#endif
return cfgerr;
}
@@ -1476,8 +1484,10 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
while (buf->o) {
try = bo_contig_data(buf);
+#ifndef SSL_CTX_set_max_send_fragment
if (global.tune.ssl_max_record && try > global.tune.ssl_max_record)
try = global.tune.ssl_max_record;
+#endif
ret = SSL_write(conn->xprt_ctx, bo_ptr(buf), try);
if (conn->flags & CO_FL_ERROR) {
--
1.7.9.5