When a server uses the model socket feature, it has to call SSL_ImportFD(connectionSocket, modelSocket) to upgrade the connection socket to SSL . Immediately after, the server is required to call SSL_ResetHandshake, so that subsequent SSL calls can work . There is a lot of inefficiency in those two calls. SSL_ImportFD copies a lot of data from the model socket to the connection socket. But SSL_ResetHandshake ends up freeing that data immediately. One example of this is with ssl_CreateSecurityInfo and ssl_ResetSecurityInfo . There should be a way to perform those two steps in a single API call, which could then be optimized and avoid unncessary steps . I suggest we add a new SSL socket flag to designate the servr model socket as such . When this flag is set in the model socket, SSL_ImportFD would be the only call required - it would also set the data structures to the proper state for a server to immediately be able to do I/O, making the call to SSL_ResetHandshake unnecessary .
I would suggest a new function for libSSL that combines the functionality of SSL_ImportFD and SSL_ResetHandshake, and that takes as arguments the union of the set of arguments of those two functions. It might be called SSL_ImportFDAfterConnected(). It's not exclusively a server feature. It applies to servers and clients that import the SSL PRFileDesc into their socket's "stack" of PRFileDescs after the connect or accept has been done and the socket is connected.
How about SSL_ImportConnectedFD or SSL_ImportConnectedSocket?
I like SSL_ImportConnectedFD better than SSL_ImportConnectedSocket, since the SSL layer could theoritically be pushed onto other NSPR I/O layers than sockets.
Most people who read the name "import FD" have come to the wrong conclusion that it is importing the socket FD "into SSL", rather than the correct conclusion that it is importing (pushing) an SSL pseudo-FD onto the stack of the real socket's FD. So, I'd like any new name to make it more apparent that SSL is being added to the real socket, not the other way around. Maybe SSL_PushOntoConnectedFD or SSL_ImportSSLIntoSocketFD, or ?
QA Contact: bishakhabanerjee → jason.m.reid
Severity: normal → enhancement
Priority: -- → P3
Target Milestone: --- → 3.12
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
You need to log in before you can comment on or make changes to this bug.