SSL_CTX_set_split_send_fragment.pod 8.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_max_send_fragment, SSL_set_max_send_fragment,
  4. SSL_CTX_set_split_send_fragment, SSL_set_split_send_fragment,
  5. SSL_CTX_set_max_pipelines, SSL_set_max_pipelines,
  6. SSL_CTX_set_default_read_buffer_len, SSL_set_default_read_buffer_len,
  7. SSL_CTX_set_tlsext_max_fragment_length,
  8. SSL_set_tlsext_max_fragment_length,
  9. SSL_SESSION_get_max_fragment_length - Control fragment size settings and pipelining operations
  10. =head1 SYNOPSIS
  11. #include <openssl/ssl.h>
  12. long SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, long);
  13. long SSL_set_max_send_fragment(SSL *ssl, long m);
  14. long SSL_CTX_set_max_pipelines(SSL_CTX *ctx, long m);
  15. long SSL_set_max_pipelines(SSL_CTX *ssl, long m);
  16. long SSL_CTX_set_split_send_fragment(SSL_CTX *ctx, long m);
  17. long SSL_set_split_send_fragment(SSL *ssl, long m);
  18. void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
  19. void SSL_set_default_read_buffer_len(SSL *s, size_t len);
  20. int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode);
  21. int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode);
  22. uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session);
  23. =head1 DESCRIPTION
  24. Some engines are able to process multiple simultaneous crypto operations. This
  25. capability could be utilised to parallelise the processing of a single
  26. connection. For example a single write can be split into multiple records and
  27. each one encrypted independently and in parallel. Note: this will only work in
  28. TLS1.1+. There is no support in SSLv3, TLSv1.0 or DTLS (any version). This
  29. capability is known as "pipelining" within OpenSSL.
  30. In order to benefit from the pipelining capability. You need to have an engine
  31. that provides ciphers that support this. The OpenSSL "dasync" engine provides
  32. AES128-SHA based ciphers that have this capability. However, these are for
  33. development and test purposes only.
  34. SSL_CTX_set_max_send_fragment() and SSL_set_max_send_fragment() set the
  35. B<max_send_fragment> parameter for SSL_CTX and SSL objects respectively. This
  36. value restricts the amount of plaintext bytes that will be sent in any one
  37. SSL/TLS record. By default its value is SSL3_RT_MAX_PLAIN_LENGTH (16384). These
  38. functions will only accept a value in the range 512 - SSL3_RT_MAX_PLAIN_LENGTH.
  39. SSL_CTX_set_max_pipelines() and SSL_set_max_pipelines() set the maximum number
  40. of pipelines that will be used at any one time. This value applies to both
  41. "read" pipelining and "write" pipelining. By default only one pipeline will be
  42. used (i.e. normal non-parallel operation). The number of pipelines set must be
  43. in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
  44. automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is
  45. explained further below. OpenSSL will only ever use more than one pipeline if
  46. a cipher suite is negotiated that uses a pipeline capable cipher provided by an
  47. engine.
  48. Pipelining operates slightly differently for reading encrypted data compared to
  49. writing encrypted data. SSL_CTX_set_split_send_fragment() and
  50. SSL_set_split_send_fragment() define how data is split up into pipelines when
  51. writing encrypted data. The number of pipelines used will be determined by the
  52. amount of data provided to the SSL_write_ex() or SSL_write() call divided by
  53. B<split_send_fragment>.
  54. For example if B<split_send_fragment> is set to 2000 and B<max_pipelines> is 4
  55. then:
  56. SSL_write/SSL_write_ex called with 0-2000 bytes == 1 pipeline used
  57. SSL_write/SSL_write_ex called with 2001-4000 bytes == 2 pipelines used
  58. SSL_write/SSL_write_ex called with 4001-6000 bytes == 3 pipelines used
  59. SSL_write/SSL_write_ex called with 6001+ bytes == 4 pipelines used
  60. B<split_send_fragment> must always be less than or equal to
  61. B<max_send_fragment>. By default it is set to be equal to B<max_send_fragment>.
  62. This will mean that the same number of records will always be created as would
  63. have been created in the non-parallel case, although the data will be
  64. apportioned differently. In the parallel case data will be spread equally
  65. between the pipelines.
  66. Read pipelining is controlled in a slightly different way than with write
  67. pipelining. While reading we are constrained by the number of records that the
  68. peer (and the network) can provide to us in one go. The more records we can get
  69. in one go the more opportunity we have to parallelise the processing. As noted
  70. above when setting B<max_pipelines> to a value greater than one, B<read_ahead>
  71. is automatically set. The B<read_ahead> parameter causes OpenSSL to attempt to
  72. read as much data into the read buffer as the network can provide and will fit
  73. into the buffer. Without this set data is read into the read buffer one record
  74. at a time. The more data that can be read, the more opportunity there is for
  75. parallelising the processing at the cost of increased memory overhead per
  76. connection. Setting B<read_ahead> can impact the behaviour of the SSL_pending()
  77. function (see L<SSL_pending(3)>). In addition the default size of the internal
  78. read buffer is multiplied by the number of pipelines available to ensure that we
  79. can read multiple records in one go. This can therefore have a significant
  80. impact on memory usage.
  81. The SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len()
  82. functions control the size of the read buffer that will be used. The B<len>
  83. parameter sets the size of the buffer. The value will only be used if it is
  84. greater than the default that would have been used anyway. The normal default
  85. value depends on a number of factors but it will be at least
  86. SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD (16704) bytes.
  87. SSL_CTX_set_tlsext_max_fragment_length() sets the default maximum fragment
  88. length negotiation mode via value B<mode> to B<ctx>.
  89. This setting affects only SSL instances created after this function is called.
  90. It affects the client-side as only its side may initiate this extension use.
  91. SSL_set_tlsext_max_fragment_length() sets the maximum fragment length
  92. negotiation mode via value B<mode> to B<ssl>.
  93. This setting will be used during a handshake when extensions are exchanged
  94. between client and server.
  95. So it only affects SSL sessions created after this function is called.
  96. It affects the client-side as only its side may initiate this extension use.
  97. SSL_SESSION_get_max_fragment_length() gets the maximum fragment length
  98. negotiated in B<session>.
  99. =head1 RETURN VALUES
  100. All non-void functions return 1 on success and 0 on failure.
  101. =head1 NOTES
  102. The Maximum Fragment Length extension support is optional on the server side.
  103. If the server does not support this extension then
  104. SSL_SESSION_get_max_fragment_length() will return:
  105. TLSEXT_max_fragment_length_DISABLED.
  106. The following modes are available:
  107. =over 4
  108. =item TLSEXT_max_fragment_length_DISABLED
  109. Disables Maximum Fragment Length Negotiation (default).
  110. =item TLSEXT_max_fragment_length_512
  111. Sets Maximum Fragment Length to 512 bytes.
  112. =item TLSEXT_max_fragment_length_1024
  113. Sets Maximum Fragment Length to 1024.
  114. =item TLSEXT_max_fragment_length_2048
  115. Sets Maximum Fragment Length to 2048.
  116. =item TLSEXT_max_fragment_length_4096
  117. Sets Maximum Fragment Length to 4096.
  118. =back
  119. With the exception of SSL_CTX_set_default_read_buffer_len()
  120. SSL_set_default_read_buffer_len(), SSL_CTX_set_tlsext_max_fragment_length(),
  121. SSL_set_tlsext_max_fragment_length() and SSL_SESSION_get_max_fragment_length()
  122. all these functions are implemented using macros.
  123. =head1 SEE ALSO
  124. L<ssl(7)>,
  125. L<SSL_CTX_set_read_ahead(3)>, L<SSL_pending(3)>
  126. =head1 HISTORY
  127. The SSL_CTX_set_max_pipelines(), SSL_set_max_pipelines(),
  128. SSL_CTX_set_split_send_fragment(), SSL_set_split_send_fragment(),
  129. SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len()
  130. functions were added in OpenSSL 1.1.0.
  131. The SSL_CTX_set_tlsext_max_fragment_length(), SSL_set_tlsext_max_fragment_length()
  132. and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1.
  133. =head1 COPYRIGHT
  134. Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
  135. Licensed under the Apache License 2.0 (the "License"). You may not use
  136. this file except in compliance with the License. You can obtain a copy
  137. in the file LICENSE in the source distribution or at
  138. L<https://www.openssl.org/source/license.html>.
  139. =cut