Optimization: Spend less CPU and RAM on adjustSSL(). Speed gain: ~5%.
Do not store extension types just to iterate over them in adjustSSL().
Check for extension support while parsing instead. Since the list of
OpenSSL-supported extensions is constant (does not depend on the
connection), we do not need to create and index extension storage once
for each TLS connection; we now do it once per worker lifetime instead.
Use std::unordered_set instead of std::list for ciphers. Most real-world
cipher lists probably contain dozens of 2-byte entries, making std::list
storage a poor choice. Unlike TLS extensions, supported ciphers depend
on the connection so we have to store all of them to check whether each
stored cipher is supported for the SSL connection object created later.
Having an O(1) lookup speeds up that last check a lot compared to the
old linear search across all stored ciphers.
Do fast adjustSSL() checks before the longer cipher loop check.
Added TLSEXT_TYPE_signature_algorithms(13) and
TLSEXT_TYPE_next_proto_neg(13172) to the list of TLS extensions
supported by OpenSSL and recognized by Squid. Recognizing these
extensions is necessary for adjustSSL() to work in more real-world
cases.
Also sorted TLSEXT_TYPE_* entries and replaced "#if 0" code with a way
to build Squid to recognize more extensions as OpenSSL's list grows.
projects / thirdparty / squid.git / commit
