dest-unreach / socat / contrib / opensslcompress

OpenSSL compress feature

Introduction

Michael Hanselmann provided two patches that add option openssl-compress to disable the compress feature of actual OpenSSL versions and log the actual compression method.

Development of these patches has been sponsored by Google Inc.

Message of the contributor

I'm working on the Ganeti project (http://code.google.com/p/ganeti/) for Google. We added support for transferring large amounts of data between machines encrypted by SSL using socat.

OpenSSL 0.9.8 and above support the compression methods described in RFC3749 (currently deflate/zlib only). By default, if enabled and supported by both sides, OpenSSL compresses all transferred data transparently.

In our case the data is read and written directly from/to block devices at a speed of more than 20 MB/sec. Tests showed that we're actually limited by CPU, not I/O bandwidth. Disabling compression increases traffic, which is acceptable in our use case as long as it's faster.

OpenSSL 0.9.9 and above have a special option to disable compression per SSL instance, SSL_OP_NO_COMPRESSION. In OpenSSL 0.9.8 compression can be disabled for the whole process by emptying OpenSSL's list of compression methods.

This patch series adds logging of the compression methods used for a connection (useful for debugging) and a new option to disable the compression (e.g. OPENSSL:1.2.3.4:9876,...,compress=none). Documentation updates and a test are provided.

Requisites

Apply these patches to socat 1.7.1.3 source.

Download

socat-opensslcompress.patch
socat-opensslcompress2.patch

Future

This contribution will most likely join the next feature release.