From 942592c126a7569731ac7e90fa0c8cb994407ac1 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 1 Sep 2015 15:42:54 +0200 Subject: ssl: release unused read buffer on incomplete client hello and save 33kB It's easy to make OpenSSL use a lot of memory : sending an incomplete client hello already makes it allocate a lot of buffers. Here we simply release the unused read buffer if the hello is incomplete. That saves about 33kB of memory per session during this phase, and goes down from about 76kB to about 43kB. [wt: updated to 1.0.2o: sizeof now takes parenthesis since commit c6738fd2] --- ssl/s23_srvr.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 31afd02..9bc02aa 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -267,7 +267,10 @@ int ssl23_get_client_hello(SSL *s) n = ssl23_read_bytes(s, sizeof(buf_space)); if (n != sizeof(buf_space)) - return (n); /* n == -1 || n == 0 */ + { + ssl3_release_read_buffer(s); + return(n); /* n == -1 || n == 0 */ + } p = s->packet; @@ -456,7 +459,10 @@ int ssl23_get_client_hello(SSL *s) * s->packet_length. We have at least 11 valid packet bytes. */ if (j <= 0) - return (j); + { + ssl3_release_read_buffer(s); + return(j); + } ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); -- 1.7.12.1