SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).

The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 2dfecd44c1d955020c139589c3f581151a79181f..04b092305cdebbe68e1c4114b496934a5f87ff04 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1193,6 +1193,10 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 
     } else {
         SSL_set_accept_state(sc->connection);
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+        SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
+#endif
     }
 
     if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {