BUG/MINOR: checks: attempt clean shutw for SSL check

Strict interpretation of TLS can cause SSL sessions to be thrown away when the socket is shutdown without sending a "close notify", resulting in each check to go through the complete handshake, eating more CPU on the servers. [wt: strictly speaking there's no guarantee that the close notify will be delivered, it's only best effort, but that may be enough to ensure that once at least one is received, next checks will be cheaper. This should be backported to 1.7 and possibly 1.6]
2025-03-23 19:36:47 +00:00 · 2017-03-08 11:06:20 -08:00 · 2017-03-08 11:06:20 -08:00 · 544d481516
commit 544d481516
parent 614f8d7d56
1 changed files with 7 additions and 6 deletions
--- a/src/checks.c
+++ b/src/checks.c
@ -1349,14 +1349,15 @@ static void event_srv_chk_r(struct connection *conn)
 	*check->bi->data = '\0';
 	check->bi->i = 0;

-	/* Close the connection... We absolutely want to perform a hard close
-	 * and reset the connection if some data are pending, otherwise we end
-	 * up with many TIME_WAITs and eat all the source port range quickly.
-	 * To avoid sending RSTs all the time, we first try to drain pending
-	 * data.
+	/* Close the connection... We still attempt to nicely close if,
+	 * for instance, SSL needs to send a "close notify." Later, we perform
+	 * a hard close and reset the connection if some data are pending,
+	 * otherwise we end up with many TIME_WAITs and eat all the source port
+	 * range quickly.  To avoid sending RSTs all the time, we first try to
+	 * drain pending data.
 	 */
 	__conn_data_stop_both(conn);
-	conn_data_shutw_hard(conn);
+	conn_data_shutw(conn);

 	/* OK, let's not stay here forever */
 	if (check->result == CHK_RES_FAILED)