Remy1119
Remy1119

CentOS7安装QAT 1.7加密卡

1. 准备材料

1.1 机器

物理PC一台(记作A),安装QAT加密卡硬件和CentOS 7系统。

1.2 Tools

登录A,执行:

# yum install -y kernel kernel-devel openssl-devel pciutils zlib-devel gcc libudev-devel boost-devel

如果内核有更新,重启。

1.3 Code

1.3.1 QAT相关

https://01.org/sites/default/files/downloads/intelr-quickassist-technology/qat1.7.upstream.l.1.0.3-42.tar.gz

https://github.com/intel/QAT_Engine/archive/v0.5.34.tar.gz

1.3.2 OpenSSL

https://github.com/openssl/openssl/archive/OpenSSL_1_1_0g.tar.gz

1.3.3 应用相关

http://nginx.org/download/nginx-1.12.2.tar.gz

http://www.haproxy.org/download/1.8/src/haproxy-1.8.4.tar.gz

只能用浏览器下载。

2. Make && Make install

2.1 QAT driver

登录A,执行:

 

# mkdir /tmp/QAT

# tar zxvf qat1.7.upstream.l.*.tar.gz -C /tmp/QAT

# cd /tmp/QAT

# chmod -R o-rwx *

# ./configure

# make

# make install

2.2 OpenSSL

登录A,执行:

# tar xzf OpenSSL_1_1_0g.tar.gz

# cd openssl-OpenSSL_1_1_0g

# ./config --prefix=/usr/local/ssl

# make depend (ifrecommended by the OpenSSL* build system)

# make

# make install

# export OPENSSL_ENGINES=/usr/local/ssl/lib/engines-1.1

# echo /usr/local/ssl/lib > /etc/ld.so.conf.d/qat.conf

# ldconfig

2.3 QAT Engine

2.3.1 qat_contig_mem

# tar zxf QAT_Engine-0.5.34.tar.gz

# cd QAT_Engine-0.5.34/qat_contig_mem

# make

# make load

# make test

2.3.2 QAT_Engine

# cd QAT_Engine-0.5.34

# ./configure --with-qat_dir=/tmp/QAT\

--with-openssl_dir=/path/to/openssl-OpenSSL_1_1_0g\

--with-openssl_install_dir=/usr/local/ssl\

--enable-upstream_driver \

--enable-usdm

# make

# make install

2.3.3 QAT config files

# cp /path/to/QAT_Engine-0.5.34/qat/config/c6xx/multi_process_event-driven_optimized/*/etc

# service qat_servicestop

# service qat_servicestart

2.4 Nginx

nginx-qat.patch:

diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
index a1baefb..e783b5f 100644
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -957,6 +957,18 @@ ngx_configure_listening_sockets(ngx_cycle_t *cycle)
     return;
 }

+#if (NGX_SSL)
+void
+ngx_asynch_del_conn(ngx_connection_t *c)
+{
+    if (ngx_del_async_conn) {
+        if (c->num_async_fds) {
+            ngx_del_async_conn(c, NGX_DISABLE_EVENT);
+            c->num_async_fds--;
+        }
+    }
+}
+#endif

 void
 ngx_close_listening_sockets(ngx_cycle_t *cycle)
@@ -986,7 +998,11 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle)
                      * for closed shared listening sockets unless
                      * the events was explicitly deleted
                      */
-
+#if (NGX_SSL)
+                    if (c->asynch) {
+                        ngx_asynch_del_conn(c);
+                    }
+#endif
                     ngx_del_event(c->read, NGX_READ_EVENT, 0);

                 } else {
@@ -1035,6 +1051,9 @@ ngx_get_connection(ngx_socket_t s, ngx_log_t *log)
 {
     ngx_uint_t         instance;
     ngx_event_t       *rev, *wev;
+#if (NGX_SSL)
+    ngx_event_t       *aev;
+#endif
     ngx_connection_t  *c;

     /* disable warning: Win32 SOCKET is u_int while UNIX socket is int */
@@ -1071,11 +1090,17 @@ ngx_get_connection(ngx_socket_t s, ngx_log_t *log)

     rev = c->read;
     wev = c->write;
+#if (NGX_SSL)
+    aev = c->async;
+#endif

     ngx_memzero(c, sizeof(ngx_connection_t));

     c->read = rev;
     c->write = wev;
+#if (NGX_SSL)
+    c->async = aev;
+#endif
     c->fd = s;
     c->log = log;

@@ -1083,17 +1108,32 @@ ngx_get_connection(ngx_socket_t s, ngx_log_t *log)

     ngx_memzero(rev, sizeof(ngx_event_t));
     ngx_memzero(wev, sizeof(ngx_event_t));
+#if (NGX_SSL)
+    ngx_memzero(aev, sizeof(ngx_event_t));
+#endif

     rev->instance = !instance;
     wev->instance = !instance;
+#if (NGX_SSL)
+    aev->instance = !instance;
+#endif

     rev->index = NGX_INVALID_INDEX;
     wev->index = NGX_INVALID_INDEX;
+#if (NGX_SSL)
+    aev->index = NGX_INVALID_INDEX;
+#endif

     rev->data = c;
     wev->data = c;
+#if (NGX_SSL)
+    aev->data = c;
+#endif

     wev->write = 1;
+#if (NGX_SSL)
+    aev->async = 1;
+#endif

     return c;
 }
@@ -1132,11 +1172,26 @@ ngx_close_connection(ngx_connection_t *c)
         ngx_del_timer(c->write);
     }

+#if (NGX_SSL)
+    if (c->async->timer_set) {
+        ngx_del_timer(c->async);
+    }
+
+    if (c->asynch) {
+        ngx_asynch_del_conn(c);
+    }
+#endif
     if (!c->shared) {
         if (ngx_del_conn) {
             ngx_del_conn(c, NGX_CLOSE_EVENT);

         } else {
+#if (NGX_SSL)
+            if (c->asynch) {
+                ngx_asynch_del_conn(c);
+            }
+#endif
+
             if (c->read->active || c->read->disabled) {
                 ngx_del_event(c->read, NGX_READ_EVENT, NGX_CLOSE_EVENT);
             }
@@ -1155,8 +1210,17 @@ ngx_close_connection(ngx_connection_t *c)
         ngx_delete_posted_event(c->write);
     }

+#if (NGX_SSL)
+    if (c->async->posted) {
+        ngx_delete_posted_event(c->async);
+    }
+#endif
+
     c->read->closed = 1;
     c->write->closed = 1;
+#if (NGX_SSL)
+    c->async->closed = 1;
+#endif

     ngx_reusable_connection(c, 0);

diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h
index 1d3e3a3..3a481d9 100644
--- a/src/core/ngx_connection.h
+++ b/src/core/ngx_connection.h
@@ -122,8 +122,14 @@ struct ngx_connection_s {
     void               *data;
     ngx_event_t        *read;
     ngx_event_t        *write;
+#if (NGX_SSL)
+    ngx_event_t        *async;
+#endif

     ngx_socket_t        fd;
+#if (NGX_SSL)
+    ngx_socket_t        async_fd;
+#endif

     ngx_recv_pt         recv;
     ngx_send_pt         send;
@@ -149,6 +155,7 @@ struct ngx_connection_s {

 #if (NGX_SSL || NGX_COMPAT)
     ngx_ssl_connection_t  *ssl;
+    ngx_flag_t          asynch;
 #endif

     struct sockaddr    *local_sockaddr;
@@ -181,6 +188,9 @@ struct ngx_connection_s {
     unsigned            tcp_nopush:2;    /* ngx_connection_tcp_nopush_e */

     unsigned            need_last_buf:1;
+#if (NGX_SSL)
+    unsigned char       num_async_fds;
+#endif

 #if (NGX_HAVE_AIO_SENDFILE || NGX_COMPAT)
     unsigned            busy_count:2;
@@ -205,6 +215,7 @@ struct ngx_connection_s {

 ngx_listening_t *ngx_create_listening(ngx_conf_t *cf, struct sockaddr *sockaddr,
     socklen_t socklen);
+void ngx_asynch_del_conn(ngx_connection_t *c);
 ngx_int_t ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls);
 ngx_int_t ngx_set_inherited_sockets(ngx_cycle_t *cycle);
 ngx_int_t ngx_open_listening_sockets(ngx_cycle_t *cycle);
diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h
index 2b48ccb..f79da12 100644
--- a/src/core/ngx_cycle.h
+++ b/src/core/ngx_cycle.h
@@ -71,7 +71,9 @@ struct ngx_cycle_s {
     ngx_connection_t         *connections;
     ngx_event_t              *read_events;
     ngx_event_t              *write_events;
-
+#if (NGX_SSL)
+    ngx_event_t              *async_events;
+#endif
     ngx_cycle_t              *old_cycle;

     ngx_str_t                 conf_file;
diff --git a/src/event/modules/ngx_epoll_module.c b/src/event/modules/ngx_epoll_module.c
index 76aee08..b45202e 100644
--- a/src/event/modules/ngx_epoll_module.c
+++ b/src/event/modules/ngx_epoll_module.c
@@ -122,6 +122,11 @@ static ngx_int_t ngx_epoll_notify(ngx_event_handler_pt handler);
 #endif
 static ngx_int_t ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer,
     ngx_uint_t flags);
+#if (NGX_SSL)
+static ngx_int_t ngx_epoll_add_async_connection(ngx_connection_t *c);
+static ngx_int_t ngx_epoll_del_async_connection(ngx_connection_t *c,
+        ngx_uint_t flags);
+#endif

 #if (NGX_HAVE_FILE_AIO)
 static void ngx_epoll_eventfd_handler(ngx_event_t *ev);
@@ -196,6 +201,13 @@ static ngx_event_module_t  ngx_epoll_module_ctx = {
         ngx_epoll_process_events,        /* process the events */
         ngx_epoll_init,                  /* init the events */
         ngx_epoll_done,                  /* done the events */
+#if (NGX_SSL)
+        ngx_epoll_add_async_connection,  /* add an async conn */
+        ngx_epoll_del_async_connection   /* del an async conn */
+#else
+        NULL,
+        NULL
+#endif
     }
 };

@@ -758,6 +770,54 @@ ngx_epoll_del_connection(ngx_connection_t *c, ngx_uint_t flags)
     return NGX_OK;
 }

+#if (NGX_SSL)
+static ngx_int_t
+ngx_epoll_add_async_connection(ngx_connection_t *c)
+{
+    struct epoll_event  ee;
+
+    ee.events = EPOLLIN|EPOLLOUT|EPOLLET|EPOLLRDHUP;
+    ee.data.ptr = (void *) ((uintptr_t) c | (c->async->async << 1) | c->async->instance);
+
+    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "epoll add async connection: fd:%d ev:%08XD", c->async_fd, ee.events);
+    if (epoll_ctl(ep, EPOLL_CTL_ADD, c->async_fd, &ee) == -1) {
+        ngx_log_error(NGX_LOG_ALERT, c->log, ngx_errno,
+                      "async add conn epoll_ctl(EPOLL_CTL_ADD, %d) failed", c->async_fd);
+        return NGX_ERROR;
+    }
+
+    c->async->active = 1;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_epoll_del_async_connection(ngx_connection_t *c, ngx_uint_t flags)
+{
+    int                 op;
+    struct epoll_event  ee;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "epoll del async connection: fd:%d", c->async_fd);
+
+    op = EPOLL_CTL_DEL;
+    ee.events = 0;
+    ee.data.ptr = NULL;
+    if (epoll_ctl(ep, op, c->async_fd, &ee) == -1) {
+        ngx_log_error(NGX_LOG_ALERT, c->log, ngx_errno,
+                      "async del conn epoll_ctl(%d, %d) failed", op, c->async_fd);
+        c->async_fd = -1;
+        return NGX_ERROR;
+    }
+    c->async_fd = -1;
+    c->async->active = 0;
+
+    return NGX_OK;
+}
+#endif
+

 #if (NGX_HAVE_EVENTFD)

@@ -791,6 +851,10 @@ ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, ngx_uint_t flags)
     ngx_event_t       *rev, *wev;
     ngx_queue_t       *queue;
     ngx_connection_t  *c;
+#if (NGX_SSL)
+    ngx_int_t          async;
+    ngx_event_t       *aev;
+#endif

     /* NGX_TIMER_INFINITE == INFTIM */

@@ -837,7 +901,12 @@ ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, ngx_uint_t flags)
         c = event_list[i].data.ptr;

         instance = (uintptr_t) c & 1;
+#if (NGX_SSL)
+        async = ((uintptr_t) c & 2) >> 1;
+        c = (ngx_connection_t *) ((uintptr_t) c & (uintptr_t) ~3);
+#else
         c = (ngx_connection_t *) ((uintptr_t) c & (uintptr_t) ~1);
+#endif

         rev = c->read;

@@ -880,7 +949,11 @@ ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, ngx_uint_t flags)
         }
 #endif

+#if (NGX_SSL)
+        if ((revents & EPOLLIN) && rev->active && !async) {
+#else
         if ((revents & EPOLLIN) && rev->active) {
+#endif

 #if (NGX_HAVE_EPOLLRDHUP)
             if (revents & EPOLLRDHUP) {
@@ -905,7 +978,11 @@ ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, ngx_uint_t flags)

         wev = c->write;

+#if (NGX_SSL)
+        if ((revents & EPOLLOUT) && wev->active && !async) {
+#else
         if ((revents & EPOLLOUT) && wev->active) {
+#endif

             if (c->fd == -1 || wev->instance != instance) {

@@ -931,6 +1008,32 @@ ngx_epoll_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, ngx_uint_t flags)
                 wev->handler(wev);
             }
         }
+#if (NGX_SSL)
+        aev = c->async;
+
+        if ((revents & EPOLLIN) && aev->active && async) {
+
+            if (c->async_fd == -1 || aev->instance!= instance) {
+                /*
+                 * the stale event from a file descriptor
+                 * that was just closed in this iteration
+                 */
+
+                ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+                               "epoll: stale event %p", c);
+                continue;
+            }
+
+            aev->ready = 1;
+
+            if (flags & NGX_POST_EVENTS) {
+                ngx_post_event(aev, &ngx_posted_events);
+
+            } else {
+                aev->handler(aev);
+            }
+        }
+#endif
     }

     return NGX_OK;
diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
index 57af813..ed973d2 100644
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -170,7 +170,7 @@ static ngx_event_module_t  ngx_event_core_module_ctx = {
     ngx_event_core_create_conf,            /* create configuration */
     ngx_event_core_init_conf,              /* init configuration */

-    { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
+    { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}
 };


@@ -569,6 +569,9 @@ ngx_event_process_init(ngx_cycle_t *cycle)
 {
     ngx_uint_t           m, i;
     ngx_event_t         *rev, *wev;
+#if (NGX_SSL)
+    ngx_event_t         *aev;
+#endif
     ngx_listening_t     *ls;
     ngx_connection_t    *c, *next, *old;
     ngx_core_conf_t     *ccf;
@@ -711,6 +714,19 @@ ngx_event_process_init(ngx_cycle_t *cycle)
         wev[i].closed = 1;
     }

+#if (NGX_SSL)
+    cycle->async_events = ngx_alloc(sizeof(ngx_event_t) * cycle->connection_n,
+            cycle->log);
+    if (cycle->async_events == NULL) {
+        return NGX_ERROR;
+    }
+
+    aev = cycle->async_events;
+    for (i = 0; i < cycle->connection_n; i++) {
+        aev[i].closed = 1;
+        aev[i].instance = 1;
+    }
+#endif
     i = cycle->connection_n;
     next = NULL;

@@ -721,6 +737,10 @@ ngx_event_process_init(ngx_cycle_t *cycle)
         c[i].read = &cycle->read_events[i];
         c[i].write = &cycle->write_events[i];
         c[i].fd = (ngx_socket_t) -1;
+#if (NGX_SSL)
+        c[i].async = &cycle->async_events[i];
+        c[i].async_fd = (ngx_socket_t) -1;
+#endif

         next = &c[i];
     } while (i);
diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
index 053bd16..6a9ded8 100644
--- a/src/event/ngx_event.h
+++ b/src/event/ngx_event.h
@@ -32,6 +32,10 @@ struct ngx_event_s {

     unsigned         write:1;

+#if (NGX_SSL)
+    unsigned         async:1;
+#endif
+
     unsigned         accept:1;

     /* used to detect the stale events in kqueue and epoll */
@@ -108,6 +112,9 @@ struct ngx_event_s {
 #endif

     ngx_event_handler_pt  handler;
+#if (NGX_SSL)
+    ngx_event_handler_pt  saved_handler;
+#endif


 #if (NGX_HAVE_IOCP)
@@ -191,6 +198,8 @@ typedef struct {

     ngx_int_t  (*init)(ngx_cycle_t *cycle, ngx_msec_t timer);
     void       (*done)(ngx_cycle_t *cycle);
+    ngx_int_t  (*add_async_conn)(ngx_connection_t *c);
+    ngx_int_t  (*del_async_conn)(ngx_connection_t *c, ngx_uint_t flags);
 } ngx_event_actions_t;


@@ -415,6 +424,8 @@ extern ngx_uint_t            ngx_use_epoll_rdhup;
 #define ngx_del_event        ngx_event_actions.del
 #define ngx_add_conn         ngx_event_actions.add_conn
 #define ngx_del_conn         ngx_event_actions.del_conn
+#define ngx_add_async_conn   ngx_event_actions.add_async_conn
+#define ngx_del_async_conn   ngx_event_actions.del_async_conn

 #define ngx_notify           ngx_event_actions.notify

diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
index 7756370..f8cec14 100644
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -249,6 +249,9 @@ ngx_event_accept(ngx_event_t *ev)

         rev->log = log;
         wev->log = log;
+#if (NGX_SSL)
+        c->async->log = log;
+#endif

         /*
          * TODO: MT: - ngx_atomic_fetch_add()
@@ -735,6 +738,11 @@ ngx_disable_accept_events(ngx_cycle_t *cycle, ngx_uint_t all)

 #endif

+#if (NGX_SSL)
+        if (c->asynch) {
+            ngx_asynch_del_conn(c);
+        }
+#endif
         if (ngx_del_event(c->read, NGX_READ_EVENT, NGX_DISABLE_EVENT)
             == NGX_ERROR)
         {
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 8c7c677..a581967 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -115,6 +115,13 @@ int  ngx_ssl_next_certificate_index;
 int  ngx_ssl_certificate_name_index;
 int  ngx_ssl_stapling_index;

+static void
+ngx_ssl_empty_handler(ngx_event_t *aev)
+{
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, aev->log, 0, "ssl empty handler");
+
+    return;
+}

 ngx_int_t
 ngx_ssl_init(ngx_log_t *log)
@@ -336,6 +343,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
 #endif

+    if (ssl->asynch) {
+        SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ASYNC);
+    }
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);

     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
@@ -366,6 +377,26 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
     return NGX_OK;
 }

+static ENGINE *
+ngx_ssl_setup_engine(const char *engine)
+{
+    ENGINE *e = NULL;
+
+#ifndef OPENSSL_NO_ENGINE
+    if (engine) {
+        if ((e = ENGINE_by_id(engine)) == NULL) {
+            return NULL;
+        }
+
+        ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, NULL, 0, 1);
+        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+            ENGINE_free(e);
+            return NULL;
+        }
+    }
+#endif
+    return e;
+}

 ngx_int_t
 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
@@ -375,6 +406,7 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
     X509        *x509;
     u_long       n;
     ngx_str_t   *pwd;
+    char        *qat_engine = "qat";
     ngx_uint_t   tries;

     if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
@@ -494,6 +526,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,

     BIO_free(bio);

+    ssl->engine = ngx_ssl_setup_engine(qat_engine);
+    if (!ssl->engine) {
+        ngx_ssl_error(NGX_LOG_NOTICE, ssl->log, 0,
+                "Load ENGINE(\"%s\") failed", qat_engine);
+    }
+
     if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {

 #ifndef OPENSSL_NO_ENGINE
@@ -1193,6 +1231,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
     }

     c->ssl = sc;
+    c->asynch = ssl->asynch;

     return NGX_OK;
 }
@@ -1211,6 +1250,100 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
     return NGX_OK;
 }

+ngx_int_t
+ngx_ssl_async_process_fds(ngx_connection_t *c)
+{
+    OSSL_ASYNC_FD *add_fds = NULL;
+    OSSL_ASYNC_FD *del_fds = NULL;
+    size_t        num_add_fds = 0;
+    size_t        num_del_fds = 0;
+    unsigned      loop = 0;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "ngx_ssl_async_process_fds called");
+
+    if (!ngx_del_async_conn || !ngx_add_async_conn) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+                      "Async notifications not supported");
+        return 0;
+    }
+
+    SSL_get_changed_async_fds(c->ssl->connection, NULL, &num_add_fds,
+                              NULL, &num_del_fds);
+
+    if (num_add_fds) {
+        add_fds = ngx_alloc(num_add_fds * sizeof(OSSL_ASYNC_FD), c->log);
+        if (add_fds == NULL) {
+            ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+                          "Memory Allocation Error");
+            return 0;
+        }
+    }
+
+    if (num_del_fds) {
+        del_fds = ngx_alloc(num_del_fds * sizeof(OSSL_ASYNC_FD), c->log);
+        if (del_fds == NULL) {
+            ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+                          "Memory Allocation Error");
+            if (add_fds)
+                ngx_free(add_fds);
+            return 0;
+        }
+    }
+
+    SSL_get_changed_async_fds(c->ssl->connection, add_fds, &num_add_fds,
+                              del_fds, &num_del_fds);
+
+    if (num_del_fds) {
+        for (loop = 0; loop < num_del_fds; loop++) {
+            c->async_fd = del_fds[loop];
+            if (c->num_async_fds) {
+                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "%s: deleting fd = %d", __func__, c->async_fd);
+                ngx_del_async_conn(c, NGX_DISABLE_EVENT);
+                c->num_async_fds--;
+            }
+        }
+    }
+    if (num_add_fds) {
+        for (loop = 0; loop < num_add_fds; loop++) {
+            if (c->num_async_fds == 0) {
+                c->num_async_fds++;
+                c->async_fd = add_fds[loop];
+                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "%s: adding fd = %d", __func__, c->async_fd);
+                ngx_add_async_conn(c);
+            }
+        }
+    }
+
+    if (add_fds)
+        ngx_free(add_fds);
+    if (del_fds)
+        ngx_free(del_fds);
+
+    return 1;
+}
+
+static void
+ngx_ssl_handshake_async_handler(ngx_event_t *aev)
+{
+    ngx_connection_t  *c;
+
+    c = aev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "SSL handshake async handler");
+
+    aev->ready = 0;
+    aev->handler = ngx_ssl_empty_handler;
+    c->read->handler = c->read->saved_handler;
+
+    if (ngx_ssl_handshake(c) == NGX_AGAIN) {
+        return;
+    }
+
+    c->ssl->handler(c);
+}
+

 ngx_int_t
 ngx_ssl_handshake(ngx_connection_t *c)
@@ -1226,6 +1359,10 @@ ngx_ssl_handshake(ngx_connection_t *c)

     if (n == 1) {

+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
             return NGX_ERROR;
         }
@@ -1307,6 +1444,10 @@ ngx_ssl_handshake(ngx_connection_t *c)
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);

     if (sslerr == SSL_ERROR_WANT_READ) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         c->read->ready = 0;
         c->read->handler = ngx_ssl_handshake_handler;
         c->write->handler = ngx_ssl_handshake_handler;
@@ -1323,6 +1464,10 @@ ngx_ssl_handshake(ngx_connection_t *c)
     }

     if (sslerr == SSL_ERROR_WANT_WRITE) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         c->write->ready = 0;
         c->read->handler = ngx_ssl_handshake_handler;
         c->write->handler = ngx_ssl_handshake_handler;
@@ -1338,6 +1483,21 @@ ngx_ssl_handshake(ngx_connection_t *c)
         return NGX_AGAIN;
     }

+    if (c->asynch && sslerr == SSL_ERROR_WANT_ASYNC) {
+        c->async->handler = ngx_ssl_handshake_async_handler;
+        c->read->saved_handler = c->read->handler;
+        c->read->handler = ngx_ssl_empty_handler;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                "SSL ASYNC WANT recieved: \"%s\"", __func__);
+
+        if (ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
+        return NGX_AGAIN;
+    }
+
     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;

     c->ssl->no_wait_shutdown = 1;
@@ -1378,6 +1538,11 @@ ngx_ssl_handshake_handler(ngx_event_t *ev)
         return;
     }

+    /*
+     * empty the handler of async event to avoid
+     * going back to previous ssl shutdown state
+     */
+    c->async->handler = ngx_ssl_empty_handler;
     c->ssl->handler(c);
 }

@@ -1518,6 +1683,22 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
     }
 }

+static void
+ngx_ssl_read_async_handler(ngx_event_t *aev)
+{
+    ngx_connection_t  *c;
+
+    c = aev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "SSL read async handler");
+
+    aev->ready = 0;
+    aev->handler = ngx_ssl_empty_handler;
+    c->read->handler = c->read->saved_handler;
+
+    c->read->handler(c->read);
+}

 static ngx_int_t
 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
@@ -1549,6 +1730,10 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)

     if (n > 0) {

+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         if (c->ssl->saved_write_handler) {

             c->write->handler = c->ssl->saved_write_handler;
@@ -1572,6 +1757,10 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);

     if (sslerr == SSL_ERROR_WANT_READ) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         c->read->ready = 0;
         return NGX_AGAIN;
     }
@@ -1581,6 +1770,10 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "peer started SSL renegotiation");

+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         c->write->ready = 0;

         if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
@@ -1599,6 +1792,21 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n)
         return NGX_AGAIN;
     }

+    if (c->asynch && sslerr == SSL_ERROR_WANT_ASYNC) {
+        c->async->handler = ngx_ssl_read_async_handler;
+        c->read->saved_handler = c->read->handler;
+        c->read->handler = ngx_ssl_empty_handler;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                "SSL ASYNC WANT recieved: \"%s\"", __func__);
+
+        if (ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
+        return NGX_AGAIN;
+    }
+
     c->ssl->no_wait_shutdown = 1;
     c->ssl->no_send_shutdown = 1;

@@ -1787,6 +1995,22 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
     return in;
 }

+static void
+ngx_ssl_write_async_handler(ngx_event_t *aev)
+{
+    ngx_connection_t  *c;
+
+    c = aev->data;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                   "SSL write async handler");
+
+    aev->ready = 0;
+    aev->handler = ngx_ssl_empty_handler;
+    c->read->handler = c->read->saved_handler;
+
+    c->write->handler(c->write);
+}

 ssize_t
 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
@@ -1804,6 +2028,10 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)

     if (n > 0) {

+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
         if (c->ssl->saved_read_handler) {

             c->read->handler = c->ssl->saved_read_handler;
@@ -1829,6 +2057,9 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);

     if (sslerr == SSL_ERROR_WANT_WRITE) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
         c->write->ready = 0;
         return NGX_AGAIN;
     }
@@ -1838,6 +2069,9 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "peer started SSL renegotiation");

+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
         c->read->ready = 0;

         if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
@@ -1857,6 +2091,21 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
         return NGX_AGAIN;
     }

+    if (c->asynch && sslerr == SSL_ERROR_WANT_ASYNC) {
+        c->async->handler = ngx_ssl_write_async_handler;
+        c->read->saved_handler = c->read->handler;
+        c->read->handler = ngx_ssl_empty_handler;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                "SSL ASYNC WANT recieved: \"%s\"", __func__);
+
+        if (ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
+
+        return NGX_AGAIN;
+    }
+
     c->ssl->no_wait_shutdown = 1;
     c->ssl->no_send_shutdown = 1;
     c->write->error = 1;
@@ -1888,6 +2137,40 @@ ngx_ssl_free_buffer(ngx_connection_t *c)
     }
 }

+static void
+ngs_ssl_shutdown_async_del_conn(ngx_connection_t *c)
+{
+    ngx_ssl_async_process_fds(c);
+    ngx_asynch_del_conn(c);
+    ngx_del_conn(c, NGX_DISABLE_EVENT);
+}
+
+static void
+ngx_ssl_shutdown_async_handler(ngx_event_t *aev)
+{
+    ngx_connection_t           *c;
+    ngx_connection_handler_pt   handler;
+
+    c = aev->data;
+    handler = c->ssl->handler;
+
+    if (aev->timedout) {
+        c->timedout = 1;
+    }
+
+    ngx_log_debug0(NGX_LOG_DEBUG_EVENT, aev->log, 0,
+                   "SSL shutdown async handler");
+
+    aev->ready = 0;
+    aev->handler = ngx_ssl_empty_handler;
+    c->read->handler = c->read->saved_handler;
+
+    if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
+        return;
+    }
+
+    handler(c);
+}

 ngx_int_t
 ngx_ssl_shutdown(ngx_connection_t *c)
@@ -1902,6 +2185,21 @@ ngx_ssl_shutdown(ngx_connection_t *c)
          * Avoid calling SSL_shutdown() if handshake wasn't completed.
          */

+        if (c->asynch) {
+            /* Check if there is inflight request */
+            if (SSL_want_async(c->ssl->connection) && !c->timedout) {
+                c->async->handler = ngx_ssl_shutdown_async_handler;
+                ngx_ssl_async_process_fds(c);
+                ngx_add_timer(c->async, 300);
+                return NGX_AGAIN;
+            }
+
+            /* Ignore errors from ngx_ssl_async_process_fds as
+             * we want to carry on and close the SSL connection
+             * anyway. */
+            ngs_ssl_shutdown_async_del_conn(c);
+        }
+
         SSL_free(c->ssl->connection);
         c->ssl = NULL;

@@ -1941,13 +2239,26 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */

     if (n != 1 && ERR_peek_error()) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
         sslerr = SSL_get_error(c->ssl->connection, n);
-
         ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "SSL_get_error: %d", sslerr);
     }
+    else if (c->asynch && n == -1) {
+        sslerr = SSL_get_error(c->ssl->connection, n);
+        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "SSL_get_error async: %d", sslerr);
+    }

     if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) {
+        if (c->asynch) {
+            /* Ignore errors from ngx_ssl_async_process_fds as
+             * we want to carry on and close the SSL connection
+             * anyway. */
+            ngs_ssl_shutdown_async_del_conn(c);
+        }
         SSL_free(c->ssl->connection);
         c->ssl = NULL;

@@ -1955,6 +2266,9 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     }

     if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) {
+        if (c->asynch && ngx_ssl_async_process_fds(c) == 0) {
+            return NGX_ERROR;
+        }
         c->read->handler = ngx_ssl_shutdown_handler;
         c->write->handler = ngx_ssl_shutdown_handler;

@@ -1973,6 +2287,28 @@ ngx_ssl_shutdown(ngx_connection_t *c)
         return NGX_AGAIN;
     }

+    if (c->asynch) {
+        if (sslerr == SSL_ERROR_WANT_ASYNC) {
+            c->async->handler = ngx_ssl_shutdown_async_handler;
+            c->read->saved_handler = ngx_ssl_shutdown_handler;
+            c->read->handler = ngx_ssl_empty_handler;
+            c->write->handler = ngx_ssl_shutdown_handler;
+
+            ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                    "SSL ASYNC WANT recieved: \"%s\"", __func__);
+
+            /* Ignore errors from ngx_ssl_async_process_fds as
+             * we want to carry on anyway. */
+            ngx_ssl_async_process_fds(c);
+            return NGX_AGAIN;
+        }
+
+        /* Ignore errors from ngx_ssl_async_process_fds as
+         * we want to carry on and close the SSL connection
+         * anyway. */
+        ngs_ssl_shutdown_async_del_conn(c);
+    }
+
     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;

     ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
@@ -2003,6 +2339,11 @@ ngx_ssl_shutdown_handler(ngx_event_t *ev)
         return;
     }

+    /*
+     * empty the handler of async event to avoid
+     * going back to previous ssl shutdown state
+     */
+    c->async->handler = ngx_ssl_empty_handler;
     handler(c);
 }

@@ -3145,6 +3486,9 @@ ngx_ssl_cleanup_ctx(void *data)
     }

     SSL_CTX_free(ssl->ctx);
+    if (ssl->engine) {
+        ENGINE_free(ssl->engine);
+    }
 }


diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index e093e10..3629d07 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -57,7 +57,9 @@
 struct ngx_ssl_s {
     SSL_CTX                    *ctx;
     ngx_log_t                  *log;
+    ENGINE                     *engine;
     size_t                      buffer_size;
+    ngx_flag_t                  asynch;
 };


@@ -187,6 +189,7 @@ ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);

 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);

+#define ngx_ssl_waiting_for_async(c) SSL_waiting_for_async(c->ssl->connection)

 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
@@ -239,7 +242,7 @@ ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c);
 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
     char *fmt, ...);
 void ngx_ssl_cleanup_ctx(void *data);
-
+ngx_int_t ngx_ssl_async_process_fds(ngx_connection_t *c);

 extern int  ngx_ssl_connection_index;
 extern int  ngx_ssl_server_conf_index;
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 2771ac1..d893ee7 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -43,6 +43,8 @@ static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,

 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
+static char *ngx_http_ssl_enable_asynch(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
@@ -79,6 +81,13 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
       offsetof(ngx_http_ssl_srv_conf_t, enable),
       NULL },

+    { ngx_string("ssl_asynch"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_http_ssl_enable_asynch,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, enable_asynch),
+      NULL },
+
     { ngx_string("ssl_certificate"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_array_slot,
@@ -541,6 +550,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
      */

     sscf->enable = NGX_CONF_UNSET;
+    sscf->enable_asynch = NGX_CONF_UNSET;
     sscf->prefer_server_ciphers = NGX_CONF_UNSET;
     sscf->buffer_size = NGX_CONF_UNSET_SIZE;
     sscf->verify = NGX_CONF_UNSET_UINT;
@@ -578,6 +588,17 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         }
     }

+    if (conf->enable_asynch == NGX_CONF_UNSET) {
+        if (prev->enable_asynch == NGX_CONF_UNSET) {
+            conf->enable_asynch = 0;
+
+        } else {
+            conf->enable_asynch = prev->enable_asynch;
+            conf->file = prev->file;
+            conf->line = prev->line;
+        }
+    }
+
     ngx_conf_merge_value(conf->session_timeout,
                          prev->session_timeout, 300);

@@ -650,6 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
             return NGX_CONF_ERROR;
         }

+        conf->ssl.asynch = conf->enable_asynch;
     } else {

         if (conf->certificates == NULL) {
@@ -822,6 +844,36 @@ ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
     return NGX_CONF_OK;
 }

+static char *
+ngx_http_ssl_enable_asynch(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_http_ssl_srv_conf_t *sscf = conf;
+
+    char  *rv;
+
+    ngx_flag_t       *pssl, *pssl_asynch;
+
+    rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+    if (rv != NGX_CONF_OK) {
+        return rv;
+    }
+
+    /* If ssl_asynch on is configured, then ssl on is configured by default
+     * This will align 'ssl_asynch on;' and 'listen port ssl' diretives
+     * */
+    pssl = (ngx_flag_t *) ((char *)conf + offsetof(ngx_http_ssl_srv_conf_t, enable));
+    pssl_asynch = (ngx_flag_t *) ((char *)conf + cmd->offset);
+
+    if(*pssl_asynch && *pssl != 1) {
+        *pssl = *pssl_asynch;
+    }
+
+    sscf->file = cf->conf_file->file.name.data;
+    sscf->line = cf->conf_file->line;
+
+    return NGX_CONF_OK;
+}

 static char *
 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index 57f5941..b97417a 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -17,6 +17,8 @@
 typedef struct {
     ngx_flag_t                      enable;

+    ngx_flag_t                      enable_asynch;
+
     ngx_ssl_t                       ssl;

     ngx_flag_t                      prefer_server_ciphers;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 476f039..693c4f0 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -447,9 +447,21 @@ ngx_http_wait_request_handler(ngx_event_t *rev)
          * We are trying to not hold c->buffer's memory for an idle connection.
          */

-        if (ngx_pfree(c->pool, b->start) == NGX_OK) {
-            b->start = NULL;
+        /* For the Async implementation we need the same buffer to be used
+         * again on any async calls that have not completed.
+         * As such we need to turn off this optimisation if an async request
+         * is still in progress.
+         */
+
+#if (NGX_HTTP_SSL)
+        if ((c->asynch && !ngx_ssl_waiting_for_async(c)) || !c->asynch) {
+#endif
+            if (ngx_pfree(c->pool, b->start) == NGX_OK) {
+                b->start = NULL;
+            }
+#if (NGX_HTTP_SSL)
         }
+#endif

         return;
     }
@@ -1385,12 +1397,22 @@ ngx_http_read_request_header(ngx_http_request_t *r)
         return n;
     }

-    if (rev->ready) {
+#if (NGX_HTTP_SSL)
+    if (c->asynch) {
         n = c->recv(c, r->header_in->last,
+                r->header_in->end - r->header_in->last);
+    }
+    else {
+#endif
+        if (rev->ready) {
+            n = c->recv(c, r->header_in->last,
                     r->header_in->end - r->header_in->last);
-    } else {
-        n = NGX_AGAIN;
+        } else {
+            n = NGX_AGAIN;
+        }
+#if (NGX_HTTP_SSL)
     }
+#endif

     if (n == NGX_AGAIN) {
         if (!rev->timer_set) {
@@ -2954,52 +2976,62 @@ ngx_http_set_keepalive(ngx_http_request_t *r)
      * c->pool and are freed too.
      */

-    b = c->buffer;
-
-    if (ngx_pfree(c->pool, b->start) == NGX_OK) {
+    /* For the Async implementation we need the same buffer to be used
+     * again on any async calls that have not completed.
+     * As such we need to turn off this optimisation if an async request
+     * is still in progress.
+     */

-        /*
-         * the special note for ngx_http_keepalive_handler() that
-         * c->buffer's memory was freed
-         */
+#if (NGX_HTTP_SSL)
+    if ((c->asynch && !ngx_ssl_waiting_for_async(c)) || !c->asynch) {
+#endif
+        b = c->buffer;

-        b->pos = NULL;
+        if (ngx_pfree(c->pool, b->start) == NGX_OK) {

-    } else {
-        b->pos = b->start;
-        b->last = b->start;
-    }
+            /*
+             * the special note for ngx_http_keepalive_handler() that
+             * c->buffer's memory was freed
+             */

-    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "hc free: %p",
-                   hc->free);
+            b->pos = NULL;

-    if (hc->free) {
-        for (cl = hc->free; cl; /* void */) {
-            ln = cl;
-            cl = cl->next;
-            ngx_pfree(c->pool, ln->buf->start);
-            ngx_free_chain(c->pool, ln);
+        } else {
+            b->pos = b->start;
+            b->last = b->start;
         }

-        hc->free = NULL;
-    }
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "hc free: %p",
+                hc->free);

-    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, "hc busy: %p %i",
-                   hc->busy, hc->nbusy);
+        if (hc->free) {
+            for (cl = hc->free; cl; /* void */) {
+                ln = cl;
+                cl = cl->next;
+                ngx_pfree(c->pool, ln->buf->start);
+                ngx_free_chain(c->pool, ln);
+            }

-    if (hc->busy) {
-        for (cl = hc->busy; cl; /* void */) {
-            ln = cl;
-            cl = cl->next;
-            ngx_pfree(c->pool, ln->buf->start);
-            ngx_free_chain(c->pool, ln);
+            hc->free = NULL;
         }

-        hc->busy = NULL;
-        hc->nbusy = 0;
-    }
+        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, "hc busy: %p %i",
+                hc->busy, hc->nbusy);

+        if (hc->busy) {
+            for (cl = hc->busy; cl; /* void */) {
+                ln = cl;
+                cl = cl->next;
+                ngx_pfree(c->pool, ln->buf->start);
+                ngx_free_chain(c->pool, ln);
+            }
+
+            hc->busy = NULL;
+            hc->nbusy = 0;
+        }
 #if (NGX_HTTP_SSL)
+    }
+
     if (c->ssl) {
         ngx_ssl_free_buffer(c);
     }
@@ -3008,6 +3040,11 @@ ngx_http_set_keepalive(ngx_http_request_t *r)
     rev->handler = ngx_http_keepalive_handler;

     if (wev->active && (ngx_event_flags & NGX_USE_LEVEL_EVENT)) {
+#if (NGX_HTTP_SSL)
+        if (c->asynch) {
+            ngx_asynch_del_conn(c);
+        }
+#endif
         if (ngx_del_event(wev, NGX_WRITE_EVENT, 0) != NGX_OK) {
             ngx_http_close_connection(c);
             return;
@@ -3152,15 +3189,27 @@ ngx_http_keepalive_handler(ngx_event_t *rev)
          * Like ngx_http_set_keepalive() we are trying to not hold
          * c->buffer's memory for a keepalive connection.
          */
+
+        /* For the Async implementation we need the same buffer to be used
+         * again on any async calls that have not completed.
+         * As such we need to turn off this optimisation if an async request
+         * is still in progress.
+         */

-        if (ngx_pfree(c->pool, b->start) == NGX_OK) {
+#if (NGX_HTTP_SSL)
+        if ((c->asynch && !ngx_ssl_waiting_for_async(c)) || !c->asynch) {
+#endif
+            if (ngx_pfree(c->pool, b->start) == NGX_OK) {

-            /*
-             * the special note that c->buffer's memory was freed
-             */
+                /*
+                 * the special note that c->buffer's memory was freed
+                 */

-            b->pos = NULL;
+                b->pos = NULL;
+            }
+#if (NGX_HTTP_SSL)
         }
+#endif

         return;
     }
@@ -3229,6 +3278,11 @@ ngx_http_set_lingering_close(ngx_http_request_t *r)
     wev->handler = ngx_http_empty_handler;

     if (wev->active && (ngx_event_flags & NGX_USE_LEVEL_EVENT)) {
+#if (NGX_HTTP_SSL)
+        if (c->asynch) {
+            ngx_asynch_del_conn(c);
+        }
+#endif
         if (ngx_del_event(wev, NGX_WRITE_EVENT, 0) != NGX_OK) {
             ngx_http_close_request(r, 0);
             return;
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 3695286..79bc8e9 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1285,7 +1285,11 @@ ngx_http_upstream_check_broken_connection(ngx_http_request_t *r,
         if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) {

             event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT;
-
+#if (NGX_HTTP_SSL)
+            if (c->asynch) {
+                ngx_asynch_del_conn(c);
+            }
+#endif
             if (ngx_del_event(ev, event, 0) != NGX_OK) {
                 ngx_http_upstream_finalize_request(r, u,
                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
@@ -1412,7 +1416,11 @@ ngx_http_upstream_check_broken_connection(ngx_http_request_t *r,
     if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) {

         event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT;
-
+#if (NGX_HTTP_SSL)
+        if (c->asynch) {
+            ngx_asynch_del_conn(c);
+        }
+#endif
         if (ngx_del_event(ev, event, 0) != NGX_OK) {
             ngx_http_upstream_finalize_request(r, u,
                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 1710ea8..7228198 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -1027,6 +1027,11 @@ ngx_channel_handler(ngx_event_t *ev)
         if (n == NGX_ERROR) {

             if (ngx_event_flags & NGX_USE_EPOLL_EVENT) {
+#if (NGX_HTTP_SSL)
+                if (c->asynch) {
+                    ngx_asynch_del_conn(c);
+                }
+#endif
                 ngx_del_conn(c, 0);
             }

# tar xzf nginx-1.12.2.tar.gz

# cd nginx-1.12.2/

# patch –Np1 –i /path/to/nginx-qat.patch

# OPENSSL_LIB=/usr/local/ssl

# ./configure --with-http_ssl_module \

   --conf-path=/etc/nginx/nginx.conf \

   --http-log-path=/var/log/nginx/access.log \

   --error-log-path=/var/log/nginx/error.log \

    --with-debug \

   --with-cc-opt="-I$OPENSSL_LIB/include" \

   --with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib"

# make

# make install

2.5 HAProxy

# tar xzf haproxy-1.8.4.tar.gz

# cd haproxy-1.8.4

#make TARGET=linux26 USE_OPENSSL=1SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib ADDLIB=-ldl

3.测试性能

3.1 OpenSSL

3.1.1 QAT Engine加载

# cd /path/to/openssl-OpenSSL_1_1_0g/apps

# ./openssl engine -t -c-vvvv qat

(qat) Reference implementation of QAT crypto engine
 [RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF]
     [ available ]
     ENABLE_EXTERNAL_POLLING: Enables the external polling interface to the engine.
          (input flags): NO_INPUT
     POLL: Polls the engine for any completed requests
          (input flags): NO_INPUT
     SET_INSTANCE_FOR_THREAD: Set instance to be used by this thread
          (input flags): NUMERIC
     GET_NUM_OP_RETRIES: Get number of retries
          (input flags): NO_INPUT
     SET_MAX_RETRY_COUNT: Set maximum retry count
          (input flags): NUMERIC
     SET_INTERNAL_POLL_INTERVAL: Set internal polling interval
          (input flags): NUMERIC
     GET_EXTERNAL_POLLING_FD: Returns non blocking fd for crypto engine
          (input flags): NO_INPUT
     ENABLE_EVENT_DRIVEN_POLLING_MODE: Set event driven polling mode
          (input flags): NO_INPUT
     GET_NUM_CRYPTO_INSTANCES: Get the number of crypto instances
          (input flags): NO_INPUT
     DISABLE_EVENT_DRIVEN_POLLING_MODE: Unset event driven polling mode
          (input flags): NO_INPUT
     SET_EPOLL_TIMEOUT: Set epoll_wait timeout
          (input flags): NUMERIC
     SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD: Set QAT small packet threshold
          (input flags): STRING
     ENABLE_INLINE_POLLING: Enables the inline polling mode.
          (input flags): NO_INPUT
 [ available ]
     ENABLE_EXTERNAL_POLLING: Enables the external polling interface to the engine.
          (input flags): NO_INPUT
     POLL: Polls the engine for any completed requests
          (input flags): NO_INPUT
     SET_INSTANCE_FOR_THREAD: Set instance to be used by this thread
          (input flags): NUMERIC
     GET_NUM_OP_RETRIES: Get number of retries
          (input flags): NO_INPUT
     SET_MAX_RETRY_COUNT: Set maximum retry count
          (input flags): NUMERIC
     SET_INTERNAL_POLL_INTERVAL: Set internal polling interval
          (input flags): NUMERIC
     GET_EXTERNAL_POLLING_FD: Returns non blocking fd for crypto engine
          (input flags): NO_INPUT
     ENABLE_EVENT_DRIVEN_POLLING_MODE: Set event driven polling mode
          (input flags): NO_INPUT
     GET_NUM_CRYPTO_INSTANCES: Get the number of crypto instances
          (input flags): NO_INPUT
     DISABLE_EVENT_DRIVEN_POLLING_MODE: Unset event driven polling mode
          (input flags): NO_INPUT
     SET_EPOLL_TIMEOUT: Set epoll_wait timeout
          (input flags): NUMERIC
     SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD: Set QAT small packet threshold
          (input flags): STRING
     ENABLE_INLINE_POLLING: Enables the inline polling mode.
          (input flags): NO_INPUT

3.1.2 RSA 2048

软件同步:

# ./openssl speed-elapsed rsa2048

硬件同步:

# ./openssl speed-engine qat -elapsed rsa2048

硬件异步:

# ./openssl speed-engine qat -elapsed -async_jobs 72 rsa2048

3.1.3 ECDH

软件同步:

# ./openssl speed-elapsed ecdh

硬件同步:

# ./openssl speed-engine qat -elapsed ecdh

硬件异步:

# ./openssl speed-engine qat -elapsed -async_jobs 36 ecdh

3.1.4 ECDSA

软件同步:

# ./openssl speed-elapsed ecdsa

硬件同步:

# ./openssl speed-engine qat -elapsed ecdsa

硬件异步:

# ./openssl speed-engine qat -elapsed -async_jobs 36 ecdsa

3.1.5 aes-128-cbc-hmac-sha256

软件同步:

# ./openssl speed-elapsed -multi 2 -evp aes-128-cbc-hmac-sha256

硬件同步:

# ./openssl speed-engine qat -elapsed -multi 2 -evp aes-128-cbc-hmac-sha256

硬件异步:

# ./openssl speed-engine qat -elapsed -async_jobs 128 -multi 2 -evp aes-128-cbc-hmac-sha256

3.2 Nginx

3.2.1配置文件

/etc/nginx/nginx.conf:

user root;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
}

http {

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;
        gzip_disable "msie6";

        include /etc/nginx/conf.d/*.conf;
}

/etc/nginx/conf.d/v.conf:

upstream domain1 {
    server 181.1.1.1;
}

server {
    listen       447 ssl;

    ssl_asynch          on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /root/cert/ecdsa.pem;
    ssl_certificate_key /root/cert/ecdsa.key;
        location / {
                proxy_pass http://domain1;
    }
}

3.2.2 运行

# /usr/local/nginx/sbin/nginx

3.3 HAproxy

3.3.1 配置文件

ssl.cfg:

global
    maxconn 100
    ssl-mode-async
    ssl-engine qat

defaults
        mode http
        timeout connect 5s
        timeout client 5s
        timeout server 5s

frontend myfrontend
        bind :447 ssl crt /root/hap-cert/cert.pem crt /root/hap-cert/
        default_backend mybackend

backend mybackend
        server s3 181.1.1.1:80

3.3.2 运行

# cd haproxy-1.8.4

# ./haproxy –f ssl.cfg

3.4 测试

# cat /sys/kernel/debug/qat_c6xx_04\:00.0/fw_counters

跑流量。完毕后再次执行:

# cat /sys/kernel/debug/qat_c6xx_04\:00.0/fw_counters

如果数据发送变化,说明QAT生效。

你可能感兴趣的:(密码学,SSL/TLS,QAT,OpenSSL)

  • 【网络安全】使用mbedtls 实现 RSA 签名、验签、加密、解密 亿码归一码 网络安全web安全安全
    简介mbedtls(前身是PolarSSL)是一个开源、轻量级的SSL/TLS库,专为嵌入式系统和资源受限环境设计。RSA是一种广泛应用的非对称加密算法,是公开密钥密码体制(PublicKeyCryptosystem)的一个典型代表,它的核心特点是采用一对密钥,分别是公开密钥(PublicKey)和私有密钥(PrivateKey)。相关头文件#include#include#include#inc
  • nginx中间件部署 cxy_6 nginx中间件运维
    普通权限账户安装NGINX中间件1、拥有高级权限的账户安装必要的插件sudoyuminstall-ygcc-c++makepcrepcre-develzlibzlib-developensslopenssl-devel2、普通账户进行NGINX的脚本式安装vinginx_intall.sh#!/bin/bashTAR_NAME="$1"TAR_NAME_DIR=`basenamenginx-1.2
  • SSL证书自动续签(解决泛域名续签问题) 月会 ssl自动续签
    文章目录SSL证书自动生成并自动续期Let’sEncryptCertbot介绍申请ssl证书下载certbot申请证书非泛域名申请证书nginx使用证书证书续期脚本linux定时执行脚本泛域名SSL证书自动生成并自动续期自动续期使用Let’sEncrypt证书颁发机构和certbot客户端共同完成Let’sEncryptLet’sEncrypt是一家免费、开放、自动化的证书颁发机构(CA),为公众
  • 使用 certbot 在centos7 搭建ssl证书自动并且续约 TwoSs110 sslhttps
    第一步,确定服务器适合安装的certbot版本sudoyuminstallpython27如果上述方法不起作用,你可以尝试编译安装。首先,你需要安装编译Python所需的依赖包。sudoyuminstallgccmakeopenssl-develsqlite-develreadline-develzlib-develbzip2-devel接下来,下载Python2.7.5的源代码,并进行编译安装。
  • Certbot实现SSL免费证书自动续签(CentOS 7版 + Docker部署的nginx) 程序猿S先森丶 sslcentosdocker
    前置安装,可参考Certbot实现SSL免费证书自动续签(CentOS7+nginx/apache)如果是通过Docker运行Nginx,certbot无法直接检测到本地的Nginx配置。解决方案是使用standalone模式或挂载Webroot方式获取SSL证书,并手动配置Nginx。方案1:Standalone模式(临时关闭Nginx获取证书)如果你的服务器不支持Webroot(或Nginx配
  • PKI及SSL协议分析实验报告 只会复制粘贴的 sslhttps服务器
    PKI及SSL协议分析实验报告一、实验目的通过该实验了解和掌握证书服务的安装,理解证书的发放过程,掌握在WEB服务器上配置SSL,使用HTTPS协议访问网站以验证结果,最后对HTTPS协议进行分析。二、实验环境WindowServer*2本实验中自己指定CA服务器与申请证书的网站。实验过程中建议使用IE浏览器,如果不使用IE,可能会导致后续实验过程中证书不能下载。三、实验内容与实验要求实验内容、原
  • php openssl tls1.2,openssl建立tls1连接过程(s->state的变化过程) 开源故事 phpopenssltls1.2
    以下是调用openssl建立tls1连接过程中,openssl内部对握手阶段的处理过程,可以对照抓包观察以下服务端和客户端是并行进行的,只是需要接收对端消息时才会进入等待状态.为方面理解,所以将客户端和服务端的处理按顺序排好.具体的状态转换代码请见:server端/ssl/s3_srvr.c的ssl3_accept方法client端/ssl/s3_clnt.c的ssl3_connect方法clie
  • openssl TLS 单向认证 spring*-* 网络服务器运维
    下面是一个简单的C语言程序示例,它展示了如何使用OpenSSL来实现基于TLS的加密TCP通信。这个程序包括一个服务器和一个客户端,它们通过TLS加密的TCP连接进行通信。步骤概览初始化OpenSSL库。创建SSL上下文(SSL_CTX)。在服务器端,加载服务器证书和私钥;在客户端,加载CA证书。使用SSL套接字进行加密通信。服务器端代码c复制代码#include#include#include#
  • server和client通信双方双向认证,基于openssl,使用TLS加密TCP流量 spring*-* tcp/ip服务器网络协议
    设计一个基于OpenSSL的C语言程序来实现双向认证的TLS加密TCP通信,需要包含服务器和客户端两部分。以下是该程序的核心步骤及示例代码。生成证书和私钥首先,需要为服务器和客户端生成证书和私钥。可以使用OpenSSL命令行工具生成这些文件。bash复制代码生成CA私钥和自签名证书opensslgenrsa-outca.key2048opensslreq-x509-new-nodes-keyca.
  • SSL 和 TLS 认证 百里自来卷 ssl网络协议网络
    SSL(SecureSocketsLayer,安全套接层)认证是一种用于加密网络通信和验证服务器身份的安全技术。它是TLS(TransportLayerSecurity,传输层安全协议)的前身,虽然现在大多数应用使用的是TLS,但仍习惯性地称之为SSL认证。SSL认证SSL认证的核心作用数据加密:防止数据在传输过程中被窃取或篡改,保证机密性。身份验证:验证服务器身份,防止用户连接到伪造的服务器(如
  • SSL的原理和应用 m0_74092749 ssl网络协议网络
    前言:SSL协议便是Internet上应用最为广泛的网络数据安全传输协议。SSL协议隶属于会话层,处于有连接的会话层之上,它一经产生就在Internet领域发挥了它的巨大作用。目前,国外著名的商用浏览器和Web服务器都支持SSL协议,SSL已成为最流行的WWW安全协议。目前已经有若干国外厂商推出了基于SSL的安全产品,但是协议在核心密码算法上都有出口限制,大多采用一些低安全强度的算法,而且协议代码
  • mbedtls编译 satadriver 工具和网站学习
    下载:gitclonehttps://github.com/Mbed-TLS/mbedtls.git设置编译环境:在mbedtls目录下执行:gitsubmoduleupdate--init,切换到tf-psa-crypto目录并再次执行:cdtf-psa-crypto/gitsubmoduleupdate--init编译:切换到mbedtls目录执行命令:makeall
  • IIS网站用myssl评级为B级 bigsea76 windowsssl
    不光是IIS网站,包括.net使用HttpListener开发的web程序,在默认情况下都会被评为B级。提示为:降级原因:1.没有使用AEAD系列加密套件,降级为B2.没有优先使用FS系列加密套件,降级为B。我现在知道AEAD系列加密套件指的是那些支持认证加密和关联数据(AuthenticatedEncryptionwithAssociatedData)的套件,比如AES-GCM和ChaCha20
  • 以下列举了一些典型的JavaScript网页设计实例,它们展示了多样化的功能和交互体验,非常适合初学者及中级开发者学习借鉴如下: 一一代码 javascript
    1.动态导航栏-功能描述:创建响应导航栏,当用户滚动页面时,导航栏固定在页面顶部,并显示当前页面部分。-技术点:-`window.scroll`事件监控页面滚动。-`classList`动态添加/移除CSS类。-`IntersectionObserver`检测元素是否进入视口。-示例代码:```javascriptwindow.addEventListener('scroll',()=>{cons
  • java list遍历添加元素_Java List集合方法及遍历过程代码解析 清净平常心 javalist遍历添加元素
    集合元素框架publicclassListDemo02{publicstaticvoidmain(String[]args){//创建集合对象Listlist=newArrayList();//添加元素list.add("hello");list.add("world");list.add("java");//输出集合对象System.out.println(list);//[hello,worl
  • 密码学概述及其发展简史 【一】 smilejiasmile #密码学及其区块链应用密码学古典密码
    1密码学1.1什么是密码学密码学是保障信息安全的核心技术,信息安全是密码学研究与发展的主要动力和目的。密码学能做什么?机密性:如何使得某个数据自己能看懂,别人看不懂认证:如何确保数据的正确来源,如何保证通信实体的真实性完整性:如何确保数据在传输过程中没有被删改不可否认性:如何确保用户行为的不可否认性密码算法密码算法的基本概念和术语包括:明文(M)、密文©、密钥(k秘密参数)、加密(E)、解密(D)
  • 2024 年真实世界密码学会议 红云谈安全 网络安全这些事网络安全网络
    今年的真实世界密码学会议最近在加拿大多伦多举行。与往常一样,由IACR组织的这次会议在为期三天的演讲中展示了当前密码学主题的最新学术成果和行业观点。会议前后还举办了许多同期活动,包括FHE.org会议、真实世界后量子密码学(RWPQC)研讨会和高可信加密软件(HACS)研讨会。今年,NCCGroup的密码服务团队的许多成员都参加了会议和几场研讨会。本文总结了我们最喜欢的一些演讲和要点。后量子密码学
  • 非对称加密算法——SIDH加密算法 java
    JavaSIDH算法解析理论背景1.1后量子密码学随着量子计算机的发展,传统公钥密码体系(如RSA、ECC)面临被Shor算法破解的风险。后量子密码学(Post-QuantumCryptography)研究能够抵御量子攻击的新型加密算法,主要包含以下类型:基于格的密码学基于编码的密码学多元多项式密码学基于超奇异椭圆曲线同源的密码学(SIDH)1.2椭圆曲线基础SIDH基于超奇异椭圆曲线及其同源映射
  • 【忍者算法】从找朋友到找变位词:一道趣味字符串问题的深入解析|LeetCode 438 找到字符串中所有字母异位词 忍者算法 忍者算法LeetCode题解秘籍leetcode算法职场和发展面试跳槽
    LeetCode438找到字符串中所有字母异位词点此看全部题解LeetCode必刷100题:一份来自面试官的算法地图(题解持续更新中)生活中的算法还记得小时候玩的"找朋友"游戏吗?每个人都有一个字母牌,需要找到拥有相同字母组合的伙伴。比如,拿着"ate"的同学要找到拿着"eat"或"tea"的同学。这其实就是在寻找字母异位词!在实际应用中,字母异位词的检测有着广泛的用途。比如在密码学中检测可能的密
  • 非对称加密:SSL/TLS握手的数学基石 安全
    1.密钥交换的密码学困局在未加密的HTTP通信中,攻击者可通过中间人攻击(MITM)窃听或篡改数据。SSL/TLS协议的核心挑战在于:如何在不安全的信道上建立安全通信?这本质上是一个“密钥分发问题”——若使用对称加密(如AES),双方需要共享同一密钥,但密钥本身如何安全传递?非对称加密的突破性在于公钥与私钥的分离。以RSA算法为例,其数学基础是大质数分解难题:选择两个大质数p和q(通常≥2048位
  • 守护网站安全的隐形卫士——SSL证书全解析 安全
    在网络世界中,保护用户数据的安全至关重要。无论你是经营一家小型网店还是管理大型企业网站,确保客户信息的安全性都是不可忽视的任务。今天,我们就来揭开一个默默守护网站安全的重要角色——SSL证书的神秘面纱。什么是SSL证书?SSL(SecureSocketsLayer)证书是一种数字证书,用于加密客户端与服务器之间的通信,确保数据传输过程中的安全性。简单来说,当您访问一个启用SSL证书的网站时,您的浏
  • 短视频时代,普通人如何保护个人隐私?——从SSL证书看数据安全 安全
    在短视频时代,每天数以亿计的用户上传内容、互动评论、甚至进行直播购物。然而,这些行为背后潜藏着隐私泄露的风险:账号密码被盗、支付信息被窃取、个人数据遭篡改……如何在这些场景中保护隐私?SSL证书作为互联网安全的基石,正扮演着关键角色。本文将从技术原理到实践建议,为你揭开SSL证书如何成为隐私保护的“隐形盾牌”。一、SSL证书:隐私保护的第一道防线SSL(SecureSocketsLayer)证书是
  • 基于k3s部署Nginx、MySQL、SpringBoot和Redis的详细教程
    1.安装k3s集群1.1单节点快速部署#使用root或sudo权限执行curl-sfLhttps://get.k3s.io|sh-#验证安装sudokubectlgetnodes#输出应为Ready状态sudosystemctlstatusk3s1.2配置kubectl权限(可选)mkdir-p~/.kubesudocp/etc/rancher/k3s/k3s.yaml~/.kube/config
  • docker启动报错:Job for docker. service failed because the control process exited with error code 奇怪的大象 javadocker容器运维intellij-ideajava
    1、在使用systemctlstartdocker时,一直报错,如下图。试了网上的方法:**a、修改docker.service文件;b、在daemon.json中增加代码,**都不能解决我遇到的情况。2、经过不懈努力,终于找到办法。在/etc/docker文件目录下,找到daemon.json,这个文件是我们在安装时创建的,如果没有的话,使用mkdir/etc/docker&&touchdaem
  • 简单的网页链接爬虫 笑颜218 爬虫python简单
    fromurllib.requestimporturlopenfromurllib.parseimporturljoinfromhtml.parserimportHTMLParser#自定义HTML解析器classLinkParser(HTMLParser):def__init__(self,base_url):super().__init__()self.base_url=base_url#基础
  • JAVA简单实现国密双向认证 [email protected] JAVA安全相关java开发语言国密
    要实现国密双向认证的数据发送,需要使用支持国密算法的Java库,并且确保HTTP客户端能够处理SSL/TLS连接时的客户端证书验证。在这个例子中,使用Java标准库结合BouncyCastle作为提供国密算法的支持。下面是一个简化的示例,展示如何使用Java实现国密双向认证的数据发送。请注意,实际开发中可能需要更多的错误处理和配置细节。首先,确保你已经添加了BouncyCastle作为安全提供者,
  • Java SSLSocket TLS 1.3示例 cyan20115 java数据库网络
    该Java11JEP332添加了对TLS1.3协议的支持。SSLSocket+TLS1.3具有TLS1.3协议和TLS_AES_128_GCM_SHA256流密码的SSLSocket客户端,用于将请求发送到https://google.com并打印响应。JavaTLS13.javapackagecom.mkyong.java11.jep332;importjavax.net.ssl.SSLSock
  • 密码学 网络安全 科普 网络安全密码技术 黑客-秋凌 密码学web安全安全
    网络加密包括密码技术和网络加密方法两个方面。一、密码技术密码技术一般分为常规密码和公钥密码。常规密码是指收信方和发信方使用相同的密钥,即加密密钥和解密密钥是相同或等价的。比较著名的常规密码算法有DES及其各种变形、IDEA、FEAL、Skipjack、RC4、RC5等。在众多的常规密码中影响最大的是DES密码。常规密码的优点是有很强的保密强度,且能经受住时间的检验和攻击,但其密钥必须通过安全的途径
  • linux系统的加固,防火墙,弱口令的梳理 weixin_43806846 安全加固
    防火墙开启防火墙:systemctlstartfirewalldsystemctlenablefirewalld弱口令opensslrand-base648>/root/.passwd#生成随机密码,保存至/root/.passwd,保存好root密码后,可以删除此文件cat/root/.passwd|passwdroot--stdin#更改root密码禁止root账号远程登录系统,并修改ssh默
  • 密码学:网络安全的基石与未来 安全
    在数字化时代,网络安全已成为全球关注的焦点。无论是个人隐私的保护,还是国家关键基础设施的安全,都离不开密码学这一核心技术。密码学不仅是信息安全的基石,更是现代社会中数据保密性、完整性和可用性的守护者。本文将从密码学的基本原理出发,结合最新技术发展,探讨其在网络安全中的核心作用。一、密码学的基本原理密码学的核心目标是通过数学方法保护信息的机密性、完整性和真实性。它主要分为两大领域:对称加密和非对称加
  • java短路运算符和逻辑运算符的区别 3213213333332132 java基础
    /* * 逻辑运算符——不论是什么条件都要执行左右两边代码 * 短路运算符——我认为在底层就是利用物理电路的“并联”和“串联”实现的 * 原理很简单,并联电路代表短路或(||),串联电路代表短路与(&&)。 * * 并联电路两个开关只要有一个开关闭合,电路就会通。 * 类似于短路或(||),只要有其中一个为true(开关闭合)是
  • Java异常那些不得不说的事 白糖_ javaexception
    一、在finally块中做数据回收操作 比如数据库连接都是很宝贵的,所以最好在finally中关闭连接。 JDBCAgent jdbc = new JDBCAgent(); try{ jdbc.excute("select * from ctp_log"); }catch(SQLException e){ ... }finally{ jdbc.close();
  • utf-8与utf-8(无BOM)的区别 dcj3sjt126com PHP
    BOM——Byte Order Mark,就是字节序标记   在UCS 编码中有一个叫做"ZERO WIDTH NO-BREAK SPACE"的字符,它的编码是FEFF。而FFFE在UCS中是不存在的字符,所以不应该出现在实际传输中。UCS规范建议我们在传输字节流前,先传输 字符"ZERO WIDTH NO-BREAK SPACE"。这样如
  • JAVA Annotation之定义篇 周凡杨 java注解annotation入门注释
        Annotation: 译为注释或注解 An annotation, in the Java computer programming language, is a form of syntactic metadata that can be added to Java source code. Classes, methods, variables, pa
  • tomcat的多域名、虚拟主机配置 g21121 tomcat
    众所周知apache可以配置多域名和虚拟主机,而且配置起来比较简单,但是项目用到的是tomcat,配来配去总是不成功。查了些资料才总算可以,下面就跟大家分享下经验。 很多朋友搜索的内容基本是告诉我们这么配置: 在Engine标签下增面积Host标签,如下: <Host name="www.site1.com" appBase="webapps"
  • Linux SSH 错误解析(Capistrano 的cap 访问错误 Permission ) 510888780 linuxcapistrano
    1.ssh -v [email protected] 出现 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). 错误 运行状况如下: OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuratio
  • log4j的用法 Harry642 javalog4j
    一、前言:     log4j 是一个开放源码项目,是广泛使用的以Java编写的日志记录包。由于log4j出色的表现,     当时在log4j完成时,log4j开发组织曾建议sun在jdk1.4中用log4j取代jdk1.4 的日志工具类,但当时jdk1.4已接近完成,所以sun拒绝使用log4j,当在java开发中
  • mysql、sqlserver、oracle分页,java分页统一接口实现 aijuans oraclejave
    定义:pageStart 起始页,pageEnd 终止页,pageSize页面容量 oracle分页:     select * from ( select mytable.*,rownum num from (实际传的SQL) where rownum<=pageEnd) where num>=pageStart sqlServer分页:  
  • Hessian 简单例子 antlove javaWebservicehessian
    hello.hessian.MyCar.java package hessian.pojo; import java.io.Serializable; public class MyCar implements Serializable { private static final long serialVersionUID = 473690540190845543
  • 数据库对象的同义词和序列 百合不是茶 sql序列同义词ORACLE权限
    回顾简单的数据库权限等命令; 解锁用户和锁定用户 alter user scott account lock/unlock; //system下查看系统中的用户 select * dba_users; //创建用户名和密码 create user wj identified by wj; identified by //授予连接权和建表权 grant connect to
  • 使用Powermock和mockito测试静态方法 bijian1013 持续集成单元测试mockitoPowermock
            实例: package com.bijian.study; import static org.junit.Assert.assertEquals; import java.io.IOException; import org.junit.Before; import org.junit.Test; import or
  • 精通Oracle10编程SQL(6)访问ORACLE bijian1013 oracle数据库plsql
    /* *访问ORACLE */ --检索单行数据 --使用标量变量接收数据 DECLARE v_ename emp.ename%TYPE; v_sal emp.sal%TYPE; BEGIN select ename,sal into v_ename,v_sal from emp where empno=&no; dbms_output.pu
  • 【Nginx四】Nginx作为HTTP负载均衡服务器 bit1129 nginx
     Nginx的另一个常用的功能是作为负载均衡服务器。一个典型的web应用系统,通过负载均衡服务器,可以使得应用有多台后端服务器来响应客户端的请求。一个应用配置多台后端服务器,可以带来很多好处:   负载均衡的好处 增加可用资源 增加吞吐量 加快响应速度,降低延时 出错的重试验机制 Nginx主要支持三种均衡算法: round-robin l
  • jquery-validation备忘 白糖_ jquerycssF#Firebug
    留点学习jquery validation总结的代码:   function checkForm(){ validator = $("#commentForm").validate({// #formId为需要进行验证的表单ID errorElement :"span",// 使用"div"标签标记错误, 默认:&
  • solr限制admin界面访问(端口限制和http授权限制) ronin47 限定Ip访问
    solr的管理界面可以帮助我们做很多事情,但是把solr程序放到公网之后就要限制对admin的访问了。 可以通过tomcat的http基本授权来做限制,也可以通过iptables防火墙来限制。 我们先看如何通过tomcat配置http授权限制。 第一步: 在tomcat的conf/tomcat-users.xml文件中添加管理用户,比如: <userusername="ad
  • 多线程-用JAVA写一个多线程程序,写四个线程,其中二个对一个变量加1,另外二个对一个变量减1 bylijinnan java多线程
    public class IncDecThread { private int j=10; /* * 题目:用JAVA写一个多线程程序,写四个线程,其中二个对一个变量加1,另外二个对一个变量减1 * 两个问题: * 1、线程同步--synchronized * 2、线程之间如何共享同一个j变量--内部类 */ public static
  • 买房历程 cfyme
        2015-06-21: 万科未来城,看房子   2015-06-26: 办理贷款手续,贷款73万,贷款利率5.65=5.3675   2015-06-27: 房子首付,签完合同   2015-06-28,央行宣布降息 0.25,就2天的时间差啊,没赶上。   首付,老婆找他的小姐妹接了5万,另外几个朋友借了1-
  • [军事与科技]制造大型太空战舰的前奏 comsci 制造
           天气热了........空调和电扇要准备好..........        最近,世界形势日趋复杂化,战争的阴影开始覆盖全世界..........        所以,我们不得不关
  • dateformat dai_lm DateFormat
    "Symbol Meaning Presentation Ex." "------ ------- ------------ ----" "G era designator (Text) AD" "y year
  • Hadoop如何实现关联计算 datamachine mapreducehadoop关联计算
        选择Hadoop,低成本和高扩展性是主要原因,但但它的开发效率实在无法让人满意。     以关联计算为例。     假设:HDFS上有2个文件,分别是客户信息和订单信息,customerID是它们之间的关联字段。如何进行关联计算,以便将客户名称添加到订单列表中?   &nbs
  • 用户模型中修改用户信息时,密码是如何处理的 dcj3sjt126com yii
    当我添加或修改用户记录的时候对于处理确认密码我遇到了一些麻烦,所有我想分享一下我是怎么处理的。 场景是使用的基本的那些(系统自带),你需要有一个数据表(user)并且表中有一个密码字段(password),它使用 sha1、md5或其他加密方式加密用户密码。 面是它的工作流程: 当创建用户的时候密码需要加密并且保存,但当修改用户记录时如果使用同样的场景我们最终就会把用户加密过的密码再次加密,这
  • 中文 iOS/Mac 开发博客列表 dcj3sjt126com Blog
      本博客列表会不断更新维护,如果有推荐的博客,请到此处提交博客信息。 本博客列表涉及的文章内容支持 定制化Google搜索,特别感谢 JeOam 提供并帮助更新。 本博客列表也提供同步更新的OPML文件(下载OPML文件),可供导入到例如feedly等第三方定阅工具中,特别感谢 lcepy 提供自动转换脚本。这里有导入教程。
  • js去除空格,去除左右两端的空格 蕃薯耀 去除左右两端的空格js去掉所有空格js去除空格
    js去除空格,去除左右两端的空格 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>&g
  • SpringMVC4零配置--web.xml hanqunfeng springmvc4
    servlet3.0+规范后,允许servlet,filter,listener不必声明在web.xml中,而是以硬编码的方式存在,实现容器的零配置。 ServletContainerInitializer:启动容器时负责加载相关配置 package javax.servlet; import java.util.Set; public interface ServletContainer
  • 《开源框架那些事儿21》:巧借力与借巧力 j2eetop 框架UI
    同样做前端UI,为什么有人花了一点力气,就可以做好?而有的人费尽全力,仍然错误百出?我们可以先看看几个故事。 故事1:巧借力,乌鸦也可以吃核桃 有一个盛产核桃的村子,每年秋末冬初,成群的乌鸦总会来到这里,到果园里捡拾那些被果农们遗落的核桃。 核桃仁虽然美味,但是外壳那么坚硬,乌鸦怎么才能吃到呢?原来乌鸦先把核桃叼起,然后飞到高高的树枝上,再将核桃摔下去,核桃落到坚硬的地面上,被撞破了,于是,
  • JQuery EasyUI 验证扩展 可怜的猫 jqueryeasyui验证
      最近项目中用到了前端框架-- EasyUI,在做校验的时候会涉及到很多需要自定义的内容,现把常用的验证方式总结出来,留待后用。   以下内容只需要在公用js中添加即可。   使用类似于如下: <input class="easyui-textbox" name="mobile" id="mobile&
  • 架构师之httpurlconnection----------读取和发送(流读取效率通用类) nannan408
    1.前言.    如题. 2.代码. /* * Copyright (c) 2015, S.F. Express Inc. All rights reserved. */ package com.test.test.test.send; import java.io.IOException; import java.io.InputStream
  • Jquery性能优化 r361251 JavaScriptjquery
    一、注意定义jQuery变量的时候添加var关键字 这个不仅仅是jQuery,所有javascript开发过程中,都需要注意,请一定不要定义成如下: $loading = $('#loading'); //这个是全局定义,不知道哪里位置倒霉引用了相同的变量名,就会郁闷至死的 二、请使用一个var来定义变量 如果你使用多个变量的话,请如下方式定义: . 代码如下: var page
  • 在eclipse项目中使用maven管理依赖 tjj006 eclipsemaven
    概览: 如何导入maven项目至eclipse中 建立自有Maven  Java类库服务器 建立符合maven代码库标准的自定义类库 Maven在管理Java类库方面有巨大的优势,像白衣所说就是非常“环保”。 我们平时用IDE开发都是把所需要的类库一股脑的全丢到项目目录下,然后全部添加到ide的构建路径中,如果用了SVN/CVS,这样会很容易就 把
  • 中国天气网省市级联页面 x125858805 级联
    1、页面及级联js <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> &l
按字母分类: ABCDEFGHIJKLMNOPQRSTUVWXYZ其他