[openssl-users] Increasing the server write buffer for handshakes in 1.1.0

Matt Caswell matt at openssl.org
Mon Nov 14 14:08:20 UTC 2016



On 14/11/16 13:37, Brandon Black wrote:
> On Mon, Nov 14, 2016 at 10:04 AM, Matt Caswell <matt at openssl.org> wrote:
>> During the handshake phase OpenSSL adds a buffering BIO in front of the
>> wbio. However when you call SSL_get_wbio(), you get back the *real* wbio
>> (without the bbio on the front). This is a change of behaviour between
>> 1.1.0 and 1.0.2, and was because it was considered a bug that you could
>> get back a different wbio from SSL_get_wbio() than the one that you
>> originally set!
>>
>> So calling BIO_set_write_buffer_size() on the return from SSL_get_wbio()
>> is going to make no difference at all!
>>
>> Unfortunately, I don't think there *is* a way to get the bbio in 1.1.0.
>> I would certainly consider a pull request to add an accessor to get hold
>> of it (missing accessors are considered as bug-fixes and so would be
>> eligible for inclusion in a future 1.1.0d).
> 
> It would be pretty trivial to implement SSL_get_bbio(), and then we
> could patch up nginx to use it at the appropriate time (assuming
> CB_ACCEPT_LOOP is still the appropriate time - I haven't tried yet).
> But from an API usability standpoint for server implementation, this
> whole way of dealing with things seems pretty un-intuitive.
> 
> Perhaps there should be SSL-level APIs for setting the write buffer
> size before the handshaking code is entered?
> SSL_set_write_buffer_size() intended to be used shortly after
> SSL_new(), but before handshaking begins, and
> SSL_CTX_set_write_buffer_size() to set the default inherited by
> SSL_new().  The implementation details of the buffer would then be
> more-opaque, and when the bbio is first initialized it can be sized
> appropriately from the parameter set by those functions and stored in
> ssl_session_st.

That would be good too, although that would be counted as a feature, not
a bug fix so couldn't be in 1.1.0 (1.1.1 earliest). Perhaps we do
both...again I'd be happy to look at PRs in this area.

Matt



More information about the openssl-users mailing list