Include a patch to fix nghttpx bug which causes TLS write stall

zlabjp · Feb 7, 2023 · efff342 · efff342
1 parent 55671e3
commit efff342
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@
 
 FROM debian:11 as build
 
-COPY patches/extra-mrbgem.patch patches/0001-nghttpx-Fix-affinity-cookie-stickiness-parameter-han.patch /
+COPY patches/extra-mrbgem.patch patches/0001-nghttpx-Fix-affinity-cookie-stickiness-parameter-han.patch patches/0001-nghttpx-Fix-bug-that-stalls-TLS-write.patch /
 
 # Inspired by clean-install https://github.com/kubernetes/kubernetes/blob/73641d35c7622ada9910be6fb212d40755cc1f78/build/debian-base/clean-install
 RUN apt-get update && \
@@ -66,6 +66,7 @@ RUN git clone --depth 1 -b v1.50.0 https://github.com/nghttp2/nghttp2.git && \
     cd nghttp2 && \
     patch -p1 < /extra-mrbgem.patch && \
     patch -p1 < /0001-nghttpx-Fix-affinity-cookie-stickiness-parameter-han.patch && \
+    patch -p1 < /0001-nghttpx-Fix-bug-that-stalls-TLS-write.patch && \
     git submodule update --init && \
     autoreconf -i && \
     ./configure --disable-examples --disable-hpack-tools --disable-python-bindings --with-mruby --with-neverbleed \

diff --git a/patches/0001-nghttpx-Fix-bug-that-stalls-TLS-write.patch b/patches/0001-nghttpx-Fix-bug-that-stalls-TLS-write.patch
@@ -0,0 +1,56 @@
+From cbcfdaa6555778a8c52d7d60b787dbd9d6a755ca Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <[email protected]>
+Date: Mon, 6 Feb 2023 21:51:16 +0900
+Subject: [PATCH] nghttpx: Fix bug that stalls TLS write
+
+---
+ src/shrpx_connection.cc | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc
+index 8fcf54cb..9869e5f2 100644
+--- a/src/shrpx_connection.cc
++++ b/src/shrpx_connection.cc
+@@ -929,6 +929,10 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
+
+   tls.last_write_idle = -1.;
+
++  auto &tlsconf = get_config()->tls;
++  auto via_bio =
++      tls.server_handshake && !tlsconf.session_cache.memcached.host.empty();
++
+   ERR_clear_error();
+
+ #if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
+@@ -958,7 +962,12 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
+     case SSL_ERROR_WANT_WRITE:
+       tls.last_writelen = len;
+       // starting write watcher and timer is done in write_clear via
+-      // bio.
++      // bio otherwise.
++      if (!via_bio) {
++        wlimit.startw();
++        ev_timer_again(loop, &wt);
++      }
++
+       return 0;
+     case SSL_ERROR_SSL:
+       if (LOG_ENABLED(INFO)) {
+@@ -974,6 +983,14 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
+     }
+   }
+
++  if (!via_bio) {
++    wlimit.drain(rv);
++
++    if (ev_is_active(&wt)) {
++      ev_timer_again(loop, &wt);
++    }
++  }
++
+   update_tls_warmup_writelen(rv);
+
+   return rv;
+-- 
+2.34.1
+