void SSLContextManager::SslContexts::ctxSetupByOpensslFeature()

in wangle/ssl/SSLContextManager.cpp [869:938]

• 46 lines of code
• 5 McCabe index (conditional complexity)

void SSLContextManager::SslContexts::ctxSetupByOpensslFeature(
    shared_ptr<ServerSSLContext> sslCtx,
    const SSLContextConfig& ctxConfig,
    ClientHelloExtStats* stats,
    std::shared_ptr<ServerSSLContext>& newDefault) {
  // Disable compression - profiling shows this to be very expensive in
  // terms of CPU and memory consumption.
  //
#ifdef SSL_OP_NO_COMPRESSION
  sslCtx->setOptions(SSL_OP_NO_COMPRESSION);
#endif

  // Enable early release of SSL buffers to reduce the memory footprint
#ifdef SSL_MODE_RELEASE_BUFFERS
  // Note: SSL_CTX_set_mode doesn't set, just ORs the arg with existing mode
  SSL_CTX_set_mode(sslCtx->getSSLCtx(), SSL_MODE_RELEASE_BUFFERS);

#endif
#ifdef SSL_MODE_EARLY_RELEASE_BBIO
  // Note: SSL_CTX_set_mode doesn't set, just ORs the arg with existing mode
  SSL_CTX_set_mode(sslCtx->getSSLCtx(), SSL_MODE_EARLY_RELEASE_BBIO);
#endif

  // This number should (probably) correspond to HTTPSession::kMaxReadSize
  // For now, this number must also be large enough to accommodate our
  // largest certificate, because some older clients (IE6/7) require the
  // cert to be in a single fragment.
#ifdef SSL_CTRL_SET_MAX_SEND_FRAGMENT
  SSL_CTX_set_max_send_fragment(sslCtx->getSSLCtx(), 8000);
#endif

  // NPN (Next Protocol Negotiation)
  if (!ctxConfig.nextProtocols.empty()) {
#if FOLLY_OPENSSL_HAS_ALPN
    sslCtx->setRandomizedAdvertisedNextProtocols(ctxConfig.nextProtocols);
#else
    OPENSSL_MISSING_FEATURE(NPN);
#endif
  }

  // SNI
#if FOLLY_OPENSSL_HAS_SNI
  if (ctxConfig.isDefault) {
    if (newDefault) {
      throw std::runtime_error("More than 1 X509 is set as default");
    }

    newDefault = sslCtx;
    newDefault->setServerNameCallback(
        [stats, contexts = shared_from_this()](SSL* ssl) {
          return serverNameCallback(ssl, stats, contexts);
        });
  }
#else
  // without SNI support, we expect only a single cert. set it as default and
  // error if we go to another.
  if (newDefault) {
    OPENSSL_MISSING_FEATURE(SNI);
  }

  newDefault = sslCtx;

  // Silence unused parameter warning
  (stats);
#endif
#ifdef SSL_OP_NO_RENEGOTIATION
  // Disable renegotiation at the OpenSSL layer
  sslCtx->setOptions(SSL_OP_NO_RENEGOTIATION);
#endif
}