X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=lib%2FPublicInbox%2FTLS.pm;h=3ce57f1b4069456ed01c3835849de92a1213fe9d;hb=refs%2Fheads%2Fmaster;hp=576c11d7cc0f917c70c646a98254eb3146306827;hpb=b70cf61f0c1f70621b88fe6420083a576d47f19f;p=public-inbox.git diff --git a/lib/PublicInbox/TLS.pm b/lib/PublicInbox/TLS.pm index 576c11d7..3ce57f1b 100644 --- a/lib/PublicInbox/TLS.pm +++ b/lib/PublicInbox/TLS.pm @@ -1,24 +1,45 @@ -# Copyright (C) 2019 all contributors +# Copyright (C) all contributors # License: AGPL-3.0+ # IO::Socket::SSL support code package PublicInbox::TLS; use strict; use IO::Socket::SSL; -require Carp; -use Errno qw(EAGAIN); use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT); +use Carp qw(carp croak); sub err () { $SSL_ERROR } # returns the EPOLL event bit which matches the existing SSL error sub epollbit () { - if ($! == EAGAIN) { - return EPOLLIN if $SSL_ERROR == SSL_WANT_READ; - return EPOLLOUT if $SSL_ERROR == SSL_WANT_WRITE; - die "unexpected SSL error: $SSL_ERROR"; + return EPOLLIN if $SSL_ERROR == SSL_WANT_READ; + return EPOLLOUT if $SSL_ERROR == SSL_WANT_WRITE; + carp "unexpected SSL error: $SSL_ERROR"; + undef; +} + +sub _ctx_new ($) { + my ($tlsd) = @_; + my $ctx = IO::Socket::SSL::SSL_Context->new( + @{$tlsd->{ssl_ctx_opt}}, SSL_server => 1) or + croak "SSL_Context->new: $SSL_ERROR"; + + # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl)) + # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64 + # cf. https://rt.cpan.org/Ticket/Display.html?id=129463 + my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() }; + if ($mode && $ctx->{context}) { + eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) }; + warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@; } - 0; + $ctx; +} + +sub start { + my ($io, $tlsd) = @_; + IO::Socket::SSL->start_SSL($io, SSL_server => 1, + SSL_reuse_ctx => ($tlsd->{ssl_ctx} //= _ctx_new($tlsd)), + SSL_startHandshake => 0); } 1;