SSL related tuning

zhangxinrun · Dec 9, 2012 · aeac47d · aeac47d
1 parent 61f99a0
commit aeac47d
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 18 deletions.
diff --git a/Makefile b/Makefile
@@ -35,7 +35,7 @@ debug: compile
 
 # Launch a shell for client.
 client: compile
-	$(ERL) -pa ebin deps/*/ebin +A 100 +K true +P 1000000 +W w -s reloader
+	$(ERL) -pa ebin deps/*/ebin +A 16 +K true +P 100000 +W w -s reloader
 
 # Make a textual log snapshot.
 log:

diff --git a/src/fubar.app.src b/src/fubar.app.src
@@ -13,26 +13,27 @@
                                  {cacertfile, "priv/ssl/ca/cacert.pem"},
                                  {certfile, "priv/ssl/cert.pem"},
                                  {keyfile, "priv/ssl/key.pem"},
-                                 {verify, verify_none}]}
+                                 {reuse_session, true}, {verify, verify_none}]}
                      ]},
          {fubar_log, [{dir, "priv/log"},
                       {max_bytes, 10485760},
                       {max_files, 10},
-                      {classes, [access, packet, protocol, resource, trace, warning, debug, noise]}
+                      {classes, [trace, access, packet, protocol, resource, warning, debug, noise]}
+                      %{classes, []}
                      ]},
          {vm_memory_monitor, [{high_watermark, 0.4},
                               {low_watermark, 0.38}]},
          {mqtt_protocol, [{max_packet_size, 4096},
                           {dispatch, mqtt_server}
                          ]},
-         {mqtt_server, [{timeout, 10000},
+         {mqtt_server, [{timeout, 3000},
                         {auth, undefined}
                        ]},
          {mqtt_session, [{transaction_timeout, 60000},
-                         {buffer_limit, 10},
+                         {buffer_limit, 3},
                          {max_retries, 5},
                          {retry_after, 10000}]},
          {mqtt_topic, [{timeout, 10000}]}
         ]}
  ]
-}.
+}.
diff --git a/src/mqtt_client.erl b/src/mqtt_client.erl
@@ -352,7 +352,7 @@ handle_event(Event, State) ->
 %% @doc Finalize the client process.
 -spec terminate(state()) -> ok.
 terminate(State) ->
-	?DEBUG([terminate, State]),
+	?INFO([terminate, State]),
 	State.
 
 %%
@@ -376,4 +376,4 @@ feedback(ClientId, Message) ->
 %% Unit Tests
 %%
 -ifdef(TEST).
--endif.
+-endif.
diff --git a/src/mqtt_client_sup.erl b/src/mqtt_client_sup.erl
@@ -35,15 +35,15 @@ start_link() ->
 -spec start_child(proplist(atom(), term())) -> {ok, pid()} | {error, reason()}.
 start_child(Props) ->
 	Id = proplists:get_value(client_id, Props),
-	Spec = {Id, {mqtt_client, start_link, [Props]}, transient, 10, worker, dynamic},
+	Spec = {Id, {mqtt_client, start_link, [Props]}, permanent, 10, worker, dynamic},
 	supervisor:start_child(?MODULE, Spec).
 
 %% @doc Start an mqtt client under supervisory.
 -spec start_child_after(timeout(), proplist(atom(), term())) -> {ok, pid()} | {error, reason()}.
 start_child_after(Millisec, Props) ->
 	timer:sleep(Millisec),
 	Id = proplists:get_value(client_id, Props),
-	Spec = {Id, {mqtt_client, start_link, [Props]}, transient, 10, worker, dynamic},
+	Spec = {Id, {mqtt_client, start_link, [Props]}, permanent, 10, worker, dynamic},
 	supervisor:start_child(?MODULE, Spec).
 
 %% @doc Stop an mqtt client under supervisory.
@@ -55,4 +55,4 @@ stop_child(Id) ->
 %% Supervisor callbacks
 %%
 init(_) ->
-	{ok, {{one_for_one, ?MAX_R, ?MAX_T}, []}}.
+	{ok, {{one_for_one, ?MAX_R, ?MAX_T}, []}}.
diff --git a/src/mqtt_protocol.erl b/src/mqtt_protocol.erl
@@ -83,31 +83,62 @@ stop(Pid) ->
 %%
 
 %% Initialize the protocol in client mode.
-init(State=#?MODULE{host=Host, port=Port, transport=Transport, socket=undefined}) ->
-	case Transport:connect(Host, Port, State#?MODULE.socket_options) of
+init(State=#?MODULE{host=Host, port=Port, transport=Transport,
+					socket=undefined, socket_options=Options}) ->
+	case Transport:connect(Host, Port, Options) of
 		{ok, Socket} ->
+			NewOptions = lists:foldl(fun(Key, Acc) ->
+											 proplists:delete(Key, Acc)
+									 end, Options, ssl_options()),
+			NewState = State#?MODULE{socket=Socket, socket_options=NewOptions},
 			case Socket of
 				{sslsocket, _, _} ->
+					?DEBUG(ssl:connection_info(Socket)),
 					case ssl:peercert(Socket) of
 						{ok, _} ->
 							?DEBUG("ssl cert ok"),
-							client_init(State#?MODULE{socket=Socket});
+							client_init(NewState);
 						Error ->
 							{stop, Error}
 					end;
 				_ ->
-					client_init(State#?MODULE{socket=Socket})
+					client_init(NewState)
 			end;
 		{error, Reason} ->
 			{stop, Reason}
 	end;
 
 %% Initialize the protocol in server mode.
-init(State=#?MODULE{transport=Transport, socket=Socket}) ->
+init(State=#?MODULE{transport=Transport, socket=Socket, socket_options=Options}) ->
 	% Leave access log.
 	{ok, {PeerAddr, PeerPort}} = Transport:peername(Socket),
 	fubar_log:log(access, ?MODULE, ["connection from", PeerAddr, PeerPort]),
-	server_init(State).
+	case Socket of
+		{sslsocket, _, _} ->
+			fubar_log:log(debug, ?MODULE, [ssl, ssl:connection_info(Socket)]),
+			NewOptions = lists:foldl(fun(Key, Acc) ->
+											 proplists:delete(Key, Acc)
+									 end, Options, ssl_options()),
+			NewState = State#?MODULE{socket_options=NewOptions},
+			case ssl:peercert(Socket) of
+				{ok, _} ->
+					fubar_log:log(debug, ?MODULE, "ssl cert ok"),
+					server_init(NewState);
+				Error ->
+					case proplists:get_value(verify, Options) of
+						verify_peer ->
+							% The client is not certified and rejected.
+							fubar_log:log(warning, ?MODULE, ["ssl cert not ok", Error]),
+							Transport:close(Socket),
+							{ok, NewState#?MODULE{socket=undefined, timeout=0}, 0};
+						_ ->
+							% The client is not certified but accepted.
+							server_init(NewState)
+					end
+			end;
+		_ ->
+			server_init(State)
+	end.
 
 client_init(State=#?MODULE{transport=Transport, socket=Socket, socket_options=SocketOptions,
 						   dispatch=Dispatch, context=Context}) ->
@@ -237,7 +268,7 @@ handle_info({tcp, Socket, Data}, State=#?MODULE{transport=Transport, socket=Sock
 			Transport:setopts(Socket, [{active, once}]),
 			{noreply, NewState, Timeout};
 		{error, Reason, NewState} ->
-			fubar_log:log(packet, ?MODULE, ["parse error", Reason]),
+			fubar_log:log(warning, ?MODULE, ["parse error", Reason]),
 			{stop, normal, NewState}
 	end;
 handle_info({ssl, Socket, Data}, State) ->
@@ -779,6 +810,11 @@ encode_number(N, Acc) ->
 			encode_number(Div, <<Acc/binary, 1:1/unsigned, Rem:7/big-unsigned>>)
 	end.
 
+ssl_options() ->
+	[verify, verify_fun, fail_if_no_peer_cert, depth, cert, certfile,
+	 key, keyfile, password, cacerts, cacertfile, dh, dhfile, ciphers,
+	 ssl_imp, reuse_sessions, reuse_session].
+
 %%
 %% Unit Tests
 %%