BUG/MINOR: ssl: don't initialize the keylog callback when not required

The registering of the keylog callback seems to provoke a loss of performance. Disable the registration as well as the fetches if tune.ssl.keylog is off. Must be backported as far as 2.2. (cherry picked from commit b60a77b6d0a50c3a006b541908f69d6bd91b3e8c) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
2022-11-18 15:00:15 +01:00 · 2022-11-18 15:00:15 +01:00 · a054cb61ba
commit a054cb61ba
parent 369c66d040
2 changed files with 6 additions and 1 deletions
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@ -1837,6 +1837,9 @@ static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, co
 	char *src = NULL;
 	const char *sfx;

+	if (global_ssl.keylog <= 0)
+		return 0;
+
 	conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 	       smp->strm ? sc_conn(smp->strm->scb) : NULL;

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -4963,7 +4963,9 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 	SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
 #endif
 #ifdef HAVE_SSL_KEYLOG
-	SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog);
+	/* only activate the keylog callback if it was required to prevent performance loss */
+	if (global_ssl.keylog > 0)
+		SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog);
 #endif

 #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)