MAJOR: ssl: add openssl async mode support
ssl-mode-async is a global configuration parameter which enables
asynchronous processing in OPENSSL for all SSL connections haproxy
handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a
retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous
capable engine is used to perform cryptographic operations. Currently
async mode only supports one async-capable engine.
This is the latest version of the patchset which includes Emeric's
updates :
- improved async fd cleaning when openssl reports an fd to delete
- prevent conn_fd_handler from calling SSL_{read,write,handshake} until
the async fd is ready, as these operations are very slow and waste CPU
- postpone of SSL_free to ensure the async operation can complete and
does not cause a dereference a released SSL.
- proper removal of async fd from the fdtab and removal of the unused async
flag.
diff --git a/include/proto/connection.h b/include/proto/connection.h
index 2380bb8..235671e 100644
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -502,6 +502,10 @@
conn->target = NULL;
conn->proxy_netns = NULL;
LIST_INIT(&conn->list);
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ conn->async_fd = -1;
+#endif
}
/* Tries to allocate a new connection and initialized its main fields. The
diff --git a/include/types/connection.h b/include/types/connection.h
index 9d1b51a..e19f883 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -303,6 +303,10 @@
struct sockaddr_storage from; /* client address, or address to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the client, or address to connect to */
} addr; /* addresses of the remote side, client for producer and server for consumer */
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+ OSSL_ASYNC_FD async_fd;
+#endif
};
/* proxy protocol v2 definitions */