git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Willy Tarreau <w@1wt.eu>
	Thu, 21 Feb 2013 06:46:09 +0000 (07:46 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 21 Feb 2013 06:53:13 +0000 (07:53 +0100)
commit	bfd5946aa1e9e381eacb70c837b47f38436bff3e
tree	9cf0f077ad1d5bfb3a714b7c8cb432ff3fce8e47	tree \| snapshot
parent	a6bd1a1c4075271cb0713b6099c44a9d538e619f	commit \| diff

MINOR: ssl: add a global tunable for the max SSL/TLS record size

Add new tunable "tune.ssl.maxrecord".

Over SSL/TLS, the client can decipher the data only once it has received
a full record. With large records, it means that clients might have to
download up to 16kB of data before starting to process them. Limiting the
record size can improve page load times on browsers located over high
latency or low bandwidth networks. It is suggested to find optimal values
which fit into 1 or 2 TCP segments (generally 1448 bytes over Ethernet
with TCP timestamps enabled, or 1460 when timestamps are disabled), keeping
in mind that SSL/TLS add some overhead. Typical values of 1419 and 2859
gave good results during tests. Use "strace -e trace=write" to find the
best value.

This trick was first suggested by Mike Belshe :

http://www.belshe.com/2010/12/17/performance-and-the-tls-record-size/

Then requested again by Ilya Grigorik who provides some hints here :

http://ofps.oreilly.com/titles/9781449344764/_transport_layer_security_tls.html#ch04_00000101

doc/configuration.txt		diff \| blob \| blame \| history
include/types/global.h		diff \| blob \| blame \| history
src/cfgparse.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history