[openssl-users] Increasing the server write buffer for handshakes in 1.1.0

Brandon Black bblack at wikimedia.org
Mon Nov 14 13:37:13 UTC 2016

On Mon, Nov 14, 2016 at 10:04 AM, Matt Caswell <matt at openssl.org> wrote:
> During the handshake phase OpenSSL adds a buffering BIO in front of the
> wbio. However when you call SSL_get_wbio(), you get back the *real* wbio
> (without the bbio on the front). This is a change of behaviour between
> 1.1.0 and 1.0.2, and was because it was considered a bug that you could
> get back a different wbio from SSL_get_wbio() than the one that you
> originally set!
> So calling BIO_set_write_buffer_size() on the return from SSL_get_wbio()
> is going to make no difference at all!
> Unfortunately, I don't think there *is* a way to get the bbio in 1.1.0.
> I would certainly consider a pull request to add an accessor to get hold
> of it (missing accessors are considered as bug-fixes and so would be
> eligible for inclusion in a future 1.1.0d).

It would be pretty trivial to implement SSL_get_bbio(), and then we
could patch up nginx to use it at the appropriate time (assuming
CB_ACCEPT_LOOP is still the appropriate time - I haven't tried yet).
But from an API usability standpoint for server implementation, this
whole way of dealing with things seems pretty un-intuitive.

Perhaps there should be SSL-level APIs for setting the write buffer
size before the handshaking code is entered?
SSL_set_write_buffer_size() intended to be used shortly after
SSL_new(), but before handshaking begins, and
SSL_CTX_set_write_buffer_size() to set the default inherited by
SSL_new().  The implementation details of the buffer would then be
more-opaque, and when the bbio is first initialized it can be sized
appropriately from the parameter set by those functions and stored in

-- Brandon

More information about the openssl-users mailing list