X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=lib%2FPublicInbox%2FTLS.pm;h=3ce57f1b4069456ed01c3835849de92a1213fe9d;hb=HEAD;hp=0b9a55dfd237c22bfd1aa24c3b9bdeef9cd447ff;hpb=ecea327e3d4386a22652fc08f71ac7d65b8f9b70;p=public-inbox.git
diff --git a/lib/PublicInbox/TLS.pm b/lib/PublicInbox/TLS.pm
index 0b9a55df..3ce57f1b 100644
--- a/lib/PublicInbox/TLS.pm
+++ b/lib/PublicInbox/TLS.pm
@@ -1,13 +1,12 @@
-# Copyright (C) 2019 all contributors
+# Copyright (C) all contributors
# License: AGPL-3.0+
# IO::Socket::SSL support code
package PublicInbox::TLS;
use strict;
use IO::Socket::SSL;
-require Carp;
-use Errno qw(EAGAIN);
use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT);
+use Carp qw(carp croak);
sub err () { $SSL_ERROR }
@@ -15,7 +14,32 @@ sub err () { $SSL_ERROR }
sub epollbit () {
return EPOLLIN if $SSL_ERROR == SSL_WANT_READ;
return EPOLLOUT if $SSL_ERROR == SSL_WANT_WRITE;
- die "unexpected SSL error: $SSL_ERROR";
+ carp "unexpected SSL error: $SSL_ERROR";
+ undef;
+}
+
+sub _ctx_new ($) {
+ my ($tlsd) = @_;
+ my $ctx = IO::Socket::SSL::SSL_Context->new(
+ @{$tlsd->{ssl_ctx_opt}}, SSL_server => 1) or
+ croak "SSL_Context->new: $SSL_ERROR";
+
+ # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl))
+ # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64
+ # cf. https://rt.cpan.org/Ticket/Display.html?id=129463
+ my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() };
+ if ($mode && $ctx->{context}) {
+ eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) };
+ warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@;
+ }
+ $ctx;
+}
+
+sub start {
+ my ($io, $tlsd) = @_;
+ IO::Socket::SSL->start_SSL($io, SSL_server => 1,
+ SSL_reuse_ctx => ($tlsd->{ssl_ctx} //= _ctx_new($tlsd)),
+ SSL_startHandshake => 0);
}
1;