From d92aa5c44a88e94d9b71e7726e2e5693df719519 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 15 Jan 2015 21:34:39 +0100 Subject: [PATCH] MINOR: global: report information about the cost of SSL connections An SSL connection takes some memory when it exists and during handshakes. We measured up to 16kB for an established endpoint, and up to 76 extra kB during a handshake. The SSL layer stores these values into the global struct during initialization. If other SSL libs are used, it's easy to change these values. Anyway they'll only be used as gross estimates in order to guess the max number of SSL conns that can be established when memory is constrained and the limit is not set. --- include/common/defaults.h | 11 +++++++++++ include/types/global.h | 2 ++ src/ssl_sock.c | 3 +++ 3 files changed, 16 insertions(+) diff --git a/include/common/defaults.h b/include/common/defaults.h index db7c07763..cd5edeb4f 100644 --- a/include/common/defaults.h +++ b/include/common/defaults.h @@ -247,6 +247,17 @@ #define SSL_DEFAULT_DH_PARAM 0 #endif +/* max memory cost per SSL session */ +#ifndef SSL_SESSION_MAX_COST +#define SSL_SESSION_MAX_COST (16*1024) // measured +#endif + +/* max memory cost per SSL handshake (on top of session) */ +#ifndef SSL_HANDSHAKE_MAX_COST +#define SSL_HANDSHAKE_MAX_COST (76*1024) // measured +#endif +#endif + /* Number of samples used to compute the times reported in stats. A power of * two is highly recommended, and this value multiplied by the largest response * time must not overflow and unsigned int. See freq_ctr.h for more information. diff --git a/include/types/global.h b/include/types/global.h index ab80c72e0..afd7aef11 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -84,6 +84,8 @@ struct global { int nbproc; int maxconn, hardmaxconn; int maxsslconn; + int ssl_session_max_cost; /* how many bytes an SSL session may cost */ + int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */ int ssl_used_frontend; /* non-zero if SSL is used in a frontend */ int ssl_used_backend; /* non-zero if SSL is used in a backend */ #ifdef USE_OPENSSL diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 3bf71cf35..67422dc75 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4720,6 +4720,9 @@ static void __ssl_sock_init(void) bind_register_keywords(&bind_kws); srv_register_keywords(&srv_kws); cfg_register_keywords(&cfg_kws); + + global.ssl_session_max_cost = SSL_SESSION_MAX_COST; + global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST; } /*