X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=lib%2FPublicInbox%2FTLS.pm;h=3ce57f1b4069456ed01c3835849de92a1213fe9d;hb=refs%2Fheads%2Fmaster;hp=576c11d7cc0f917c70c646a98254eb3146306827;hpb=b70cf61f0c1f70621b88fe6420083a576d47f19f;p=public-inbox.git
diff --git a/lib/PublicInbox/TLS.pm b/lib/PublicInbox/TLS.pm
index 576c11d7..3ce57f1b 100644
--- a/lib/PublicInbox/TLS.pm
+++ b/lib/PublicInbox/TLS.pm
@@ -1,24 +1,45 @@
-# Copyright (C) 2019 all contributors
+# Copyright (C) all contributors
# License: AGPL-3.0+
# IO::Socket::SSL support code
package PublicInbox::TLS;
use strict;
use IO::Socket::SSL;
-require Carp;
-use Errno qw(EAGAIN);
use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT);
+use Carp qw(carp croak);
sub err () { $SSL_ERROR }
# returns the EPOLL event bit which matches the existing SSL error
sub epollbit () {
- if ($! == EAGAIN) {
- return EPOLLIN if $SSL_ERROR == SSL_WANT_READ;
- return EPOLLOUT if $SSL_ERROR == SSL_WANT_WRITE;
- die "unexpected SSL error: $SSL_ERROR";
+ return EPOLLIN if $SSL_ERROR == SSL_WANT_READ;
+ return EPOLLOUT if $SSL_ERROR == SSL_WANT_WRITE;
+ carp "unexpected SSL error: $SSL_ERROR";
+ undef;
+}
+
+sub _ctx_new ($) {
+ my ($tlsd) = @_;
+ my $ctx = IO::Socket::SSL::SSL_Context->new(
+ @{$tlsd->{ssl_ctx_opt}}, SSL_server => 1) or
+ croak "SSL_Context->new: $SSL_ERROR";
+
+ # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl))
+ # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64
+ # cf. https://rt.cpan.org/Ticket/Display.html?id=129463
+ my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() };
+ if ($mode && $ctx->{context}) {
+ eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) };
+ warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@;
}
- 0;
+ $ctx;
+}
+
+sub start {
+ my ($io, $tlsd) = @_;
+ IO::Socket::SSL->start_SSL($io, SSL_server => 1,
+ SSL_reuse_ctx => ($tlsd->{ssl_ctx} //= _ctx_new($tlsd)),
+ SSL_startHandshake => 0);
}
1;