BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit...

The number of async fd is computed considering the maxconn, the number
of sides using ssl and the number of engines using async mode.

This patch should be backported on haproxy 1.8

diff --git a/include/types/global.h b/include/types/global.h
index a3d1e96202641d83ad90431b497e6adfd08f83e9..1f332074bd2b8b8bf66c8e50f1e15ae32a8517fc 100644 (file)
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -97,6 +97,7 @@ struct global {
        int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */
        int ssl_used_frontend;      /* non-zero if SSL is used in a frontend */
        int ssl_used_backend;       /* non-zero if SSL is used in a backend */
+       int ssl_used_async_engines; /* number of used async engines */
        unsigned int ssl_server_verify; /* default verify mode on servers side */
        struct freq_ctr conn_per_sec;
        struct freq_ctr sess_per_sec;

diff --git a/src/haproxy.c b/src/haproxy.c
index bd8608f74ae1fe924d1fc0b9b6aed60feac8409c..eb5e65b40e7b8b2a4f8fb04b3552401e42fb0a89 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1780,6 +1780,11 @@ static void init(int argc, char **argv)
        global.hardmaxconn = global.maxconn;  /* keep this max value */
        global.maxsock += global.maxconn * 2; /* each connection needs two sockets */
        global.maxsock += global.maxpipes * 2; /* each pipe needs two FDs */
+       /* compute fd used by async engines */
+       if (global.ssl_used_async_engines) {
+               int sides = !!global.ssl_used_frontend + !!global.ssl_used_backend;
+               global.maxsock += global.maxconn * sides * global.ssl_used_async_engines;
+       }
 
        if (global.stats_fe)
                global.maxsock += global.stats_fe->maxconn;

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4741be11c577734d0e476925560cd871e3f9550d..f9d5f25675e3fc532e5402329aad05adc8967d8f 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -161,6 +161,7 @@ enum {
 int sslconns = 0;
 int totalsslconns = 0;
 static struct xprt_ops ssl_sock;
+int nb_engines = 0;
 
 static struct {
        char *crt_base;             /* base directory path for certificates */
@@ -411,6 +412,9 @@ static int ssl_init_single_engine(const char *engine_id, const char *def_algorit
        el = calloc(1, sizeof(*el));
        el->e = engine;
        LIST_ADD(&openssl_engines, &el->list);
+       nb_engines++;
+       if (global_ssl.async)
+               global.ssl_used_async_engines = nb_engines;
        return 0;
 
 fail_set_method:
@@ -7978,6 +7982,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
        global_ssl.async = 1;
+       global.ssl_used_async_engines = nb_engines;
        return 0;
 #else
        memprintf(err, "'%s': openssl library does not support async mode", args[0]);