MEDIUM: ssl: add support for smaller SSL records

There's a very common openssl patch on the net meant to significantly
reduce openssl's memory usage. This patch has been provided for many
versions now, and it makes sense to add support for it given that it
is very simple. It only requires to add an extra SSL_MODE flag. Just
like for other flags, if the flag is unknown, it's unset. About 44kB
of memory may be saved per SSL session with the patch.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e0b497e4c9b7efc18b6d2fabfb2f6c60bfb9b1ce..e8a3df9d0025b564bc503be068f48e9b219df424 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1462,6 +1462,9 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
 #ifndef SSL_MODE_RELEASE_BUFFERS                        /* needs OpenSSL >= 1.0.0 */
 #define SSL_MODE_RELEASE_BUFFERS 0
 #endif
+#ifndef SSL_MODE_SMALL_BUFFERS                          /* needs small_records.patch */
+#define SSL_MODE_SMALL_BUFFERS 0
+#endif
 
 int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy)
 {
@@ -1478,7 +1481,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
        long sslmode =
                SSL_MODE_ENABLE_PARTIAL_WRITE |
                SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
-               SSL_MODE_RELEASE_BUFFERS;
+               SSL_MODE_RELEASE_BUFFERS |
+               SSL_MODE_SMALL_BUFFERS;
        STACK_OF(SSL_CIPHER) * ciphers = NULL;
        SSL_CIPHER * cipher = NULL;
        char cipher_description[128];
@@ -1806,7 +1810,8 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
        long mode =
                SSL_MODE_ENABLE_PARTIAL_WRITE |
                SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
-               SSL_MODE_RELEASE_BUFFERS;
+               SSL_MODE_RELEASE_BUFFERS |
+               SSL_MODE_SMALL_BUFFERS;
        int verify = SSL_VERIFY_NONE;
 
        /* Make sure openssl opens /dev/urandom before the chroot */