BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically.
The number of async fd is computed considering the maxconn, the number
of sides using ssl and the number of engines using async mode.
This patch should be backported on haproxy 1.8
diff --git a/src/haproxy.c b/src/haproxy.c
index bd8608f..eb5e65b 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1780,6 +1780,11 @@
global.hardmaxconn = global.maxconn; /* keep this max value */
global.maxsock += global.maxconn * 2; /* each connection needs two sockets */
global.maxsock += global.maxpipes * 2; /* each pipe needs two FDs */
+ /* compute fd used by async engines */
+ if (global.ssl_used_async_engines) {
+ int sides = !!global.ssl_used_frontend + !!global.ssl_used_backend;
+ global.maxsock += global.maxconn * sides * global.ssl_used_async_engines;
+ }
if (global.stats_fe)
global.maxsock += global.stats_fe->maxconn;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4741be1..f9d5f25 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -161,6 +161,7 @@
int sslconns = 0;
int totalsslconns = 0;
static struct xprt_ops ssl_sock;
+int nb_engines = 0;
static struct {
char *crt_base; /* base directory path for certificates */
@@ -411,6 +412,9 @@
el = calloc(1, sizeof(*el));
el->e = engine;
LIST_ADD(&openssl_engines, &el->list);
+ nb_engines++;
+ if (global_ssl.async)
+ global.ssl_used_async_engines = nb_engines;
return 0;
fail_set_method:
@@ -7978,6 +7982,7 @@
{
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
global_ssl.async = 1;
+ global.ssl_used_async_engines = nb_engines;
return 0;
#else
memprintf(err, "'%s': openssl library does not support async mode", args[0]);