From f3c793686fde2bd5d03d3690c41bb2cb9280e597 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Thu, 6 Jul 2017 21:28:23 +0000 Subject: [PATCH 1/3] Revert "set location for client CA cert file" This reverts commit 6b4d1c6aef82561dc6a2709a2b3ec944271f172c. --- iocore/net/SSLNetVConnection.cc | 8 -------- 1 file changed, 8 deletions(-) diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index f74e2b297c4..e7bc259268b 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -994,14 +994,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err) } else { clientCTX = params->client_ctx; } - - if (this->options.clientVerificationFlag && params->clientCACertFilename != nullptr && params->clientCACertPath != nullptr) { - if (!SSL_CTX_load_verify_locations(clientCTX, params->clientCACertFilename, params->clientCACertPath)) { - SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename, - params->clientCACertPath); - return EVENT_ERROR; - } - } this->ssl = make_ssl_connection(clientCTX, this); if (this->ssl == nullptr) { From 44029f4f73a57c9c5e30df4bb4003cbfdb8b9e36 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Fri, 7 Jul 2017 14:18:23 +0000 Subject: [PATCH 2/3] Break up the ssl_read_from_net loop. Adjust UA inactivity timeout. --- iocore/net/SSLNetVConnection.cc | 20 ++++++++++++++++---- iocore/net/UnixNetVConnection.cc | 1 + proxy/http/HttpSM.cc | 2 ++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index e7bc259268b..daf89834c23 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -206,11 +206,17 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) while (sslErr == SSL_ERROR_NONE) { int64_t block_write_avail = buf.writer()->block_write_avail(); if (block_write_avail <= 0) { - buf.writer()->add_block(); - block_write_avail = buf.writer()->block_write_avail(); - if (block_write_avail <= 0) { - Warning("Cannot add new block"); + // If we filled up one block, give back to the event loop so we don't + // overbuffer. + if (bytes_read > 0) { break; + } else { // Make sure there is a block to write into + buf.writer()->add_block(); + block_write_avail = buf.writer()->block_write_avail(); + if (block_write_avail <= 0) { + Warning("Cannot add new block"); + break; + } } } @@ -239,6 +245,8 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) bytes_read += nread; if (nread > 0) { buf.writer()->fill(nread); // Tell the buffer, we've used the bytes + sslvc->netActivity(lthread); + //Warning("set next_inactivity %" PRId64 " current time %" PRId64, sslvc->next_inactivity_timeout_at, Thread::get_hrtime()); } break; case SSL_ERROR_WANT_WRITE: @@ -302,6 +310,10 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) ret = bytes_read; event = (s->vio.ntodo() <= 0) ? SSL_READ_COMPLETE : SSL_READ_READY; + if (sslErr == SSL_ERROR_NONE && s->vio.ntodo() > 0) { + // We stopped with data on the wire (to avoid overbuffering). Make sure we are triggered + sslvc->read.triggered = 1; + } } else { // if( bytes_read > 0 ) #if defined(_DEBUG) if (bytes_read == 0) { diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc index c914f6c52b3..73f162bf0b8 100644 --- a/iocore/net/UnixNetVConnection.cc +++ b/iocore/net/UnixNetVConnection.cc @@ -1234,6 +1234,7 @@ UnixNetVConnection::mainEvent(int event, Event *e) // ink_assert(next_inactivity_timeout_at < Thread::get_hrtime()); if (!inactivity_timeout_in || next_inactivity_timeout_at > Thread::get_hrtime()) return EVENT_CONT; + Warning("next_inactivity %" PRId64 " current time %" PRId64, next_inactivity_timeout_at, Thread::get_hrtime()); signal_event = VC_EVENT_INACTIVITY_TIMEOUT; signal_timeout_at = &next_inactivity_timeout_at; } else { diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 5e17b0fd423..3c9da09edd9 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -3611,6 +3611,7 @@ HttpSM::tunnel_handler_post_ua(int event, HttpTunnelProducer *p) // timeouts ua_entry->vc_handler = &HttpSM::state_watch_for_client_abort; ua_entry->read_vio = p->vc->do_io_read(this, INT64_MAX, ua_buffer_reader->mbuf); + ua_session->set_inactivity_timeout(0); break; default: ink_release_assert(0); @@ -3697,6 +3698,7 @@ HttpSM::tunnel_handler_post_server(int event, HttpTunnelConsumer *c) // on the user agent in order to get timeouts // coming to the state machine and not the tunnel ua_entry->vc_handler = &HttpSM::state_watch_for_client_abort; + ua_session->set_inactivity_timeout(0); // YTS Team, yamsat Plugin // When event is VC_EVENT_ERROR,and when redirection is enabled From 8158daf14ee2eb8ba8278f3d16c8f7092815938b Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Fri, 7 Jul 2017 15:30:47 +0000 Subject: [PATCH 3/3] Remove resetting the set inactivity logic --- proxy/http/HttpSM.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 3c9da09edd9..c65d5b08604 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -3611,7 +3611,7 @@ HttpSM::tunnel_handler_post_ua(int event, HttpTunnelProducer *p) // timeouts ua_entry->vc_handler = &HttpSM::state_watch_for_client_abort; ua_entry->read_vio = p->vc->do_io_read(this, INT64_MAX, ua_buffer_reader->mbuf); - ua_session->set_inactivity_timeout(0); + //ua_session->set_inactivity_timeout(0); break; default: ink_release_assert(0); @@ -3698,7 +3698,7 @@ HttpSM::tunnel_handler_post_server(int event, HttpTunnelConsumer *c) // on the user agent in order to get timeouts // coming to the state machine and not the tunnel ua_entry->vc_handler = &HttpSM::state_watch_for_client_abort; - ua_session->set_inactivity_timeout(0); + //ua_session->set_inactivity_timeout(0); // YTS Team, yamsat Plugin // When event is VC_EVENT_ERROR,and when redirection is enabled