1 2 /* 3 * Copyright (C) Igor Sysoev 4 * Copyright (C) NGINX, Inc. 5 */ 6 7 #ifndef _NXT_TLS_H_INCLUDED_ 8 #define _NXT_TLS_H_INCLUDED_ 9 10 11 /* 12 * The SSL/TLS libraries lack vector I/O interface yet add noticeable 13 * overhead to each SSL/TLS record so buffering allows to decrease the 14 * overhead. The typical overhead size is about 30 bytes, however, TLS 15 * supports also random padding up to 255 bytes. The maximum SSLv3/TLS 16 * record size is 16K. However, large records increase decryption latency. 17 * 4K is good compromise between 1-6% of SSL/TLS overhead and the latency. 18 * 4K buffer allows to send one SSL/TLS record (4096-bytes data and up to 19 * 224-bytes overhead) in three 1440-bytes TCP/IPv4 packets with timestamps 20 * and compatible with tunnels. 21 */ 22 23 #define NXT_TLS_BUFFER_SIZE 4096 24 25 26 typedef struct nxt_tls_conf_s nxt_tls_conf_t; 27 28 29 typedef struct { 30 nxt_int_t (*library_init)(nxt_task_t *task); 31 void (*library_free)(nxt_task_t *task); 32 33 nxt_int_t (*server_init)(nxt_task_t *task, 34 nxt_tls_conf_t *conf); 35 void (*server_free)(nxt_task_t *task, 36 nxt_tls_conf_t *conf); 37 } nxt_tls_lib_t; 38 39 40 struct nxt_tls_conf_s { 41 void *ctx; 42 void (*conn_init)(nxt_task_t *task, 43 nxt_tls_conf_t *conf, nxt_conn_t *c); 44 45 const nxt_tls_lib_t *lib; 46 47 nxt_fd_t chain_file; 48 char *ciphers; 49 50 char *ca_certificate; 51 52 size_t buffer_size; 53 }; 54 55 56 #if (NXT_HAVE_OPENSSL) 57 extern const nxt_tls_lib_t nxt_openssl_lib; 58 59 void nxt_cdecl nxt_openssl_log_error(nxt_task_t *task, nxt_uint_t level, 60 const char *fmt, ...); 61 u_char *nxt_openssl_copy_error(u_char *p, u_char *end); 62 #endif 63 64 #if (NXT_HAVE_GNUTLS) 65 extern const nxt_tls_lib_t nxt_gnutls_lib; 66 #endif 67 68 #if (NXT_HAVE_CYASSL) 69 extern const nxt_tls_lib_t nxt_cyassl_lib; 70 #endif 71 72 #if (NXT_HAVE_POLARSSL) 73 extern const nxt_tls_lib_t nxt_polar_lib; 74 #endif 75 76 77 #endif /* _NXT_TLS_H_INCLUDED_ */ 78