Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

XOP-229: Stunnel_cache fixes. #124

Merged
merged 3 commits into from

2 participants

@jeromemaloberti

1 - Stunnel_cache caches alive connections.
2 - Stunnel_cache differentiates certified and non-certified connections.

jeromemaloberti added some commits
@jeromemaloberti jeromemaloberti XOP-229: Stored in Stunnel.t if the connection is verified.
Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
a7f540a
@jeromemaloberti jeromemaloberti XOP-229: Change keep_alive=true and http version = 1.1.
Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
ce684f7
@jeromemaloberti jeromemaloberti XOP-229: The stunnel_cache key uses also the verify_cert bool.
Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
23fd992
@thomassa
Owner

Looks reasonable to me. We could do more to increase use of the cache. For example, perhaps in http-svr/xmlrpc_client.ml it could help to change the function SSL.make so that it has a default ?(use_stunnel_cache=true) rather than false as at present.

The changes already here are probably enough to get most of the benefit though, and it would be good to get them into master and see some test/measurement results.

@thomassa thomassa merged commit 30fc1f8 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 31, 2013
  1. @jeromemaloberti

    XOP-229: Stored in Stunnel.t if the connection is verified.

    jeromemaloberti authored
    Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
  2. @jeromemaloberti

    XOP-229: Change keep_alive=true and http version = 1.1.

    jeromemaloberti authored
    Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
Commits on Feb 1, 2013
  1. @jeromemaloberti

    XOP-229: The stunnel_cache key uses also the verify_cert bool.

    jeromemaloberti authored
    Signed-off-by: Jerome Maloberti <jerome.maloberti@citrix.com>
This page is out of date. Refresh to see the latest.
View
8 http-svr/http.ml
@@ -376,7 +376,7 @@ module Request = struct
body = None;
}
- let make ?(frame=false) ?(version="1.0") ?(keep_alive=false) ?accept ?cookie ?length ?auth ?subtask_of ?body ?(headers=[]) ?content_type ?host ?(query=[]) ~user_agent meth path =
+ let make ?(frame=false) ?(version="1.1") ?(keep_alive=true) ?accept ?cookie ?length ?auth ?subtask_of ?body ?(headers=[]) ?content_type ?host ?(query=[]) ~user_agent meth path =
{ empty with
version = version;
frame = frame;
@@ -479,7 +479,7 @@ module Response = struct
}
let empty = {
- version = "1.0";
+ version = "1.1";
frame = false;
code = "500";
message = "Empty response";
@@ -498,7 +498,7 @@ module Response = struct
(kvpairs x.additional_headers)
let empty = {
- version = "1.0";
+ version = "1.1";
frame = false;
code = "500";
message = "Unknown error message";
@@ -507,7 +507,7 @@ module Response = struct
additional_headers = [];
body = None;
}
- let make ?(frame=false) ?(version="1.0") ?length ?task ?(headers=[]) ?body code message = {
+ let make ?(frame=false) ?(version="1.1") ?length ?task ?(headers=[]) ?body code message = {
version = version;
frame = frame;
code = code;
View
9 http-svr/xmlrpc_client.ml
@@ -96,14 +96,14 @@ let get_new_stunnel_id =
(** Returns an stunnel, either from the persistent cache or a fresh one which
has been checked out and guaranteed to work. *)
-let get_reusable_stunnel ?use_fork_exec_helper ?write_to_log host port =
+let get_reusable_stunnel ?use_fork_exec_helper ?write_to_log host port verify_cert =
let start_time = Unix.gettimeofday () in
let found = ref None in
(* 1. First check if there is a suitable stunnel in the cache. *)
begin
try
while !found = None do
- let (x: Stunnel.t) = Stunnel_cache.remove host port in
+ let (x: Stunnel.t) = Stunnel_cache.remove host port verify_cert in
if check_reusable x.Stunnel.fd
then found := Some x
else begin
@@ -129,7 +129,7 @@ let get_reusable_stunnel ?use_fork_exec_helper ?write_to_log host port =
incr attempt_number;
try
let unique_id = get_new_stunnel_id () in
- let (x: Stunnel.t) = Stunnel.connect ~unique_id ?use_fork_exec_helper ?write_to_log host port in
+ let (x: Stunnel.t) = Stunnel.connect ~unique_id ?use_fork_exec_helper ?write_to_log ~verify_cert host port in
if check_reusable x.Stunnel.fd
then found := Some x
else begin
@@ -211,10 +211,9 @@ let with_transport transport f = match transport with
use_stunnel_cache = use_stunnel_cache;
verify_cert = verify_cert;
task_id = task_id}, host, port) ->
- assert (not (verify_cert && use_stunnel_cache));
let st_proc =
if use_stunnel_cache
- then get_reusable_stunnel ~use_fork_exec_helper ~write_to_log host port
+ then get_reusable_stunnel ~use_fork_exec_helper ~write_to_log host port verify_cert
else
let unique_id = get_new_stunnel_id () in
Stunnel.connect ~use_fork_exec_helper ~write_to_log ~unique_id ~verify_cert ~extended_diagnosis:true host port in
View
3  stunnel/stunnel.ml
@@ -113,6 +113,7 @@ type t = { mutable pid: pid; fd: Unix.file_descr; host: string; port: int;
connected_time: float;
unique_id: int option;
mutable logfile: string;
+ verified: bool;
}
let config_file verify_cert extended_diagnosis host port =
@@ -187,7 +188,7 @@ let attempt_one_connect ?unique_id ?(use_fork_exec_helper = true)
let t =
{ pid = Nopid; fd = data_out; host = host; port = port;
connected_time = Unix.gettimeofday (); unique_id = unique_id;
- logfile = "" } in
+ logfile = ""; verified = verify_cert } in
let result = Forkhelpers.with_logfile_fd "stunnel"
~delete:(not extended_diagnosis)
(fun logfd ->
View
1  stunnel/stunnel.mli
@@ -34,6 +34,7 @@ type t = { mutable pid: pid;
connected_time: float; (** time when the connection opened, for 'early retirement' *)
unique_id: int option;
mutable logfile: string;
+ verified: bool;
}
(** Connects via stunnel (optionally via an external 'fork/exec' helper) to
View
14 stunnel/stunnel_cache.ml
@@ -23,7 +23,7 @@
module D=Debug.Debugger(struct let name="stunnel_cache" end)
open D
-type endpoint = { host: string; port: int }
+type endpoint = { host: string; port: int; verified: bool }
(* Need to limit the absolute number of stunnels as well as the maximum age *)
let max_stunnel = 22
@@ -127,7 +127,7 @@ let add (x: Stunnel.t) =
incr counter;
Hashtbl.add !times idx now;
Hashtbl.add !stunnels idx x;
- let ep = { host = x.Stunnel.host; port = x.Stunnel.port } in
+ let ep = { host = x.Stunnel.host; port = x.Stunnel.port; verified = x.Stunnel.verified } in
let existing =
if Hashtbl.mem !index ep
then Hashtbl.find !index ep
@@ -140,8 +140,8 @@ let add (x: Stunnel.t) =
(** Returns an Stunnel.t for this endpoint (oldest first), raising Not_found
if none can be found *)
-let remove host port =
- let ep = { host = host; port = port } in
+let remove host port verified =
+ let ep = { host = host; port = port; verified = verified } in
Mutex.execute m
(fun () ->
unlocked_gc ();
@@ -174,10 +174,10 @@ let flush () =
info "Flushed!")
-let connect ?use_fork_exec_helper ?write_to_log host port =
+let connect ?use_fork_exec_helper ?write_to_log host port verify_cert =
try
- remove host port
+ remove host port verify_cert
with Not_found ->
error "Failed to find stunnel in cache for endpoint %s:%d" host port;
- Stunnel.connect ?use_fork_exec_helper ?write_to_log host port
+ Stunnel.connect ?use_fork_exec_helper ?write_to_log ~verify_cert host port
View
4 stunnel/stunnel_cache.mli
@@ -26,13 +26,13 @@
will be used, otherwise we make a fresh one. *)
val connect :
?use_fork_exec_helper:bool ->
- ?write_to_log:(string -> unit) -> string -> int -> Stunnel.t
+ ?write_to_log:(string -> unit) -> string -> int -> bool -> Stunnel.t
(** Adds a reusable stunnel to the cache *)
val add : Stunnel.t -> unit
(** Given a host and port return a cached stunnel, or throw Not_found *)
-val remove : string -> int -> Stunnel.t
+val remove : string -> int -> bool -> Stunnel.t
(** Empty the cache of all stunnels *)
val flush : unit -> unit
Something went wrong with that request. Please try again.