SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).

The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can save some CPU cycles on renegotiation attempts.
2018-07-16 17:47:48 +03:00 · 2018-07-16 17:47:48 +03:00 · 0d89e57550
commit 0d89e57550
parent 920d2613ae
1 changed files with 4 additions and 0 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -1193,6 +1193,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)

    } else {
        SSL_set_accept_state(sc->connection);
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+        SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
+#endif
    }

    if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {