From: Chuck Lever <cel@kernel.org>
To: kernel-tls-handshake@lists.linux.dev
Subject: [PATCH RFC 5/5] tlshd: Disable Nagle during handshakes on TCP sockets
Date: Mon, 17 Apr 2023 10:35:23 -0400 [thread overview]
Message-ID: <168174212348.9615.3404215595659748895.stgit@91.116.238.104.host.secureserver.net> (raw)
In-Reply-To: <168174201703.9615.15054227659982658294.stgit@91.116.238.104.host.secureserver.net>
From: Chuck Lever <chuck.lever@oracle.com>
Fedora Docs suggest:
> The TLS handshake has very poor performance if the TCP Nagle
> algorithm is active. You should switch on the TCP_NODELAY socket
> option (at least for the duration of the handshake), or use the
> Linux-specific TCP_CORK option.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/handshake.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
index 5bc96cb5d5aa..25940d099274 100644
--- a/src/tlshd/handshake.c
+++ b/src/tlshd/handshake.c
@@ -43,6 +43,34 @@
#include "tlshd.h"
#include "netlink.h"
+static void tlshd_set_nagle(gnutls_session_t session, int val)
+{
+ int ret;
+
+ ret = setsockopt(gnutls_transport_get_int(session),
+ IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
+ if (ret < 0)
+ tlshd_log_perror("setsockopt (NODELAY)");
+}
+
+static void tlshd_save_nagle(gnutls_session_t session, int *saved)
+{
+ socklen_t len;
+ int ret;
+
+
+ len = sizeof(saved);
+ ret = getsockopt(gnutls_transport_get_int(session),
+ IPPROTO_TCP, TCP_NODELAY, saved, &len);
+ if (ret < 0) {
+ tlshd_log_perror("getsockopt (NODELAY)");
+ saved = 0;
+ return;
+ }
+
+ tlshd_set_nagle(session, 1);
+}
+
/**
* tlshd_start_tls_handshake - Drive the handshake interaction
* @session: TLS session to initialize
@@ -77,9 +105,11 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
}
gnutls_handshake_set_timeout(session, parms->timeout_ms);
+ tlshd_save_nagle(session, &saved);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && !gnutls_error_is_fatal(ret));
+ tlshd_set_nagle(session, saved);
if (ret < 0) {
switch (ret) {
case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
prev parent reply other threads:[~2023-04-17 14:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-17 14:34 [PATCH RFC 0/5] Address security review comments Chuck Lever
2023-04-17 14:34 ` [PATCH RFC 1/5] tlshd: Check mode bit settings on certificate material Chuck Lever
2023-04-17 14:35 ` [PATCH RFC 2/5] tlshd: Fix client's use of Server Name Indication Chuck Lever
2023-04-17 14:35 ` [PATCH RFC 3/5] tlshd: Pass tlshd_parameters to the verification functions Chuck Lever
2023-04-17 14:35 ` [PATCH RFC 4/5] tlshd: Fix server-side peer hostname validation Chuck Lever
2023-04-17 14:35 ` Chuck Lever [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=168174212348.9615.3404215595659748895.stgit@91.116.238.104.host.secureserver.net \
--to=cel@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).