Inefficiency in SSL model socket feature for servers



13 years ago
8 years ago


(Reporter: Julien Pierre, Unassigned)



Firefox Tracking Flags

(Not tracked)




13 years ago
When a server uses the model socket feature, it has to call
SSL_ImportFD(connectionSocket, modelSocket) to upgrade the connection socket to
Immediately after, the server is required to call SSL_ResetHandshake, so that
subsequent SSL calls can work .

There is a lot of inefficiency in those two calls. SSL_ImportFD copies a lot of
data from the model socket to the connection socket. But SSL_ResetHandshake ends
up freeing that data immediately. One example of this is with
ssl_CreateSecurityInfo and ssl_ResetSecurityInfo .

There should be a way to perform those two steps in a single API call, which
could then be optimized and avoid unncessary steps .

I suggest we add a new SSL socket flag to designate the servr model socket as
such . When this flag is set in the model socket, SSL_ImportFD would be the only
call required - it would also set the data structures to the proper state for a
server to immediately be able to do I/O, making the call to SSL_ResetHandshake
unnecessary .
I would suggest a new function for libSSL that combines the functionality 
of SSL_ImportFD and SSL_ResetHandshake, and that takes as arguments the 
union of the set of arguments of those two functions.
It might be called SSL_ImportFDAfterConnected().   

It's not exclusively a server feature.  It applies to servers and clients
that import the SSL PRFileDesc into their socket's "stack" of PRFileDescs
after the connect or accept has been done and the socket is connected.

Comment 2

13 years ago
How about SSL_ImportConnectedFD or SSL_ImportConnectedSocket?

Comment 3

13 years ago
I like SSL_ImportConnectedFD better than SSL_ImportConnectedSocket, since the
SSL layer could theoritically be pushed onto other NSPR I/O layers than sockets.
Most people who read the name "import FD" have come to the wrong conclusion
that it is importing the socket FD "into SSL", rather than the correct 
conclusion that it is importing (pushing) an SSL pseudo-FD onto the stack 
of the real socket's FD.  

So, I'd like any new name to make it more apparent that SSL is being added
to the real socket, not the other way around.  
Maybe  SSL_PushOntoConnectedFD  or SSL_ImportSSLIntoSocketFD, or ?


13 years ago
Assignee: wtchang → nelson
QA Contact: bishakhabanerjee → jason.m.reid
QA Contact: jason.m.reid → libraries
Severity: normal → enhancement
Priority: -- → P3
Target Milestone: --- → 3.12


11 years ago
Keywords: perf
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
Assignee: nelson → nobody
You need to log in before you can comment on or make changes to this bug.