mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl-sock: pass the CO_SFL_MSG_MORE info down the stack

Browse Source 
Despite having replaced the SSL BIOs to use our own raw_sock layer, we
still didn't exploit the CO_SFL_MSG_MORE flag which is pretty useful to
avoid sending incomplete packets. It's particularly important for SSL
since the extra overhead almost guarantees that each send() will be
followed by an incomplete (and often odd-sided) segment.

We already have an xprt_st set of flags to pass info to the various
layers, so let's just add a new one, SSL_SOCK_SEND_MORE, that is set
or cleared during ssl_sock_from_buf() to transfer the knowledge of
CO_SFL_MSG_MORE. This way we can recover this information and pass
it to raw_sock.

This alone is sufficient to increase by ~5-10% the H2 bandwidth over
SSL when multiple streams are used in parallel.
This commit is contained in:
Willy Tarreau 2023-03-17 16:13:05 +01:00
parent 464fa06e9a
commit ac78c4fd9d
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/ssl_sock-t.h
View File

@ -49,6 +49,7 @@
#define SSL_SOCK_ST_FL_16K_WBFSIZE 0x00000002
#define SSL_SOCK_SEND_UNLIMITED 0x00000004
#define SSL_SOCK_RECV_HEARTBEAT 0x00000008
#define SSL_SOCK_SEND_MORE 0x00000010 /* set MSG_MORE at lower levels */
/* bits 0xFFFFFF00 are reserved to store verify errors.
* The CA en CRT error codes will be stored on 7 bits each

9
src/ssl_sock.c
View File

@ -214,6 +214,7 @@ static int ha_ssl_write(BIO *h, const char *buf, int num)
{
struct buffer tmpbuf;
struct ssl_sock_ctx *ctx;
uint flags;
int ret;
ctx = BIO_get_data(h);
@ -221,7 +222,8 @@ static int ha_ssl_write(BIO *h, const char *buf, int num)
tmpbuf.area = (void *)(uintptr_t)buf;
tmpbuf.data = num;
tmpbuf.head = 0;
ret = ctx->xprt->snd_buf(ctx->conn, ctx->xprt_ctx, &tmpbuf, num, 0);
flags = (ctx->xprt_st & SSL_SOCK_SEND_MORE) ? CO_SFL_MSG_MORE : 0;
ret = ctx->xprt->snd_buf(ctx->conn, ctx->xprt_ctx, &tmpbuf, num, flags);
if (ret == 0 && !(ctx->conn->flags & (CO_FL_ERROR | CO_FL_SOCK_WR_SH))) {
BIO_set_retry_write(h);
ret = -1;
@ -6449,6 +6451,11 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
}
if (try < count || flags & CO_SFL_MSG_MORE)
ctx->xprt_st |= SSL_SOCK_SEND_MORE;
else
ctx->xprt_st &= ~SSL_SOCK_SEND_MORE;
#ifdef SSL_READ_EARLY_DATA_SUCCESS
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
unsigned int max_early;