Use SSL_MODE_RELEASE_BUFFERS if available

Sets SSL_MODE_RELEASE_BUFFERS if available, to keep openSSL memory
usage as low as possible.

For more info, see
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
https://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

See also trac #157

Signed-off-by: Cristian Rodriguez <crrodriguez@opensuse.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <5381FEFF.1040609@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 3a222d85caa506471670924ef4507f751b6dec2b..4862badcac25adbf942ddc6ea5dfdc91df663201 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -198,6 +198,9 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
     SSL_CTX_set_options (ctx->ctx, sslopt);
   }
 
+#ifdef SSL_MODE_RELEASE_BUFFERS
+  SSL_CTX_set_mode (ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
   SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
   SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);