``url`` now defaults to ``/dns-query`` instead of ``/``, and does exact matching instead of accepting sub-paths. Added ``tcpListenQueueSize`` parameter.
.. versionchanged:: 1.6.0
- ``exactPathMatching`` option added.
+ ``exactPathMatching`` and ``releaseBuffers`` options added.
Listen on the specified address and TCP port for incoming DNS over HTTPS connections, presenting the specified X.509 certificate.
If no certificate (or key) files are specified, listen for incoming DNS over HTTP connections instead.
* ``tcpListenQueueSize=SOMAXCONN``: int - Set the size of the listen queue. Default is ``SOMAXCONN``.
* ``internalPipeBufferSize=0``: int - Set the size in bytes of the internal buffer of the pipes used internally to pass queries and responses between threads. Requires support for ``F_SETPIPE_SZ`` which is present in Linux since 2.6.35. The actual size might be rounded up to a multiple of a page size. 0 means that the OS default size is used.
* ``exactPathMatching=true``: bool - Whether to do exact path matching of the query path against the paths configured in ``urls`` (true, the default since 1.5.0) or to accepts sub-paths (false, and was the default before 1.5.0).
+ * ``releaseBuffers=true``: bool - Whether OpenSSL should release its I/O buffers when a connection goes idle, saving roughly 35 kB of memory per connection.
.. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options])
.. versionchanged:: 1.5.0
``sessionTimeout`` and ``tcpListenQueueSize`` options added.
.. versionchanged:: 1.6.0
- Added ``maxInFlight`` parameter.
+ ``maxInFlight`` and ``releaseBuffers`` options added.
Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
* ``keyLogFile``: str - Write the TLS keys in the specified file so that an external program can decrypt TLS exchanges, in the format described in https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. Note that this feature requires OpenSSL >= 1.1.1.
* ``tcpListenQueueSize=SOMAXCONN``: int - Set the size of the listen queue. Default is ``SOMAXCONN``.
* ``maxInFlight=0``: int - Maximum number of in-flight queries. The default is 0, which disables out-of-order processing.
+ * ``releaseBuffers=true``: bool - Whether OpenSSL should release its I/O buffers when a connection goes idle, saving roughly 35 kB of memory per connection.
.. function:: setLocal(address[, options])
SSL_CTX_sess_set_cache_size(ctx.get(), config.d_maxStoredSessions);
}
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ if (config.d_releaseBuffers) {
+ SSL_CTX_set_mode(ctx.get(), SSL_MODE_RELEASE_BUFFERS);
+ }
+#endif
+
/* we need to set this callback to acknowledge the server name sent by the client,
otherwise it will not stored in the session and will not be accessible when the
session is resumed, causing SSL_get_servername to return nullptr */
projects / thirdparty / pdns.git / commitdiff
