From 05410fe9b3247c8d7ce3dfe03e51431c15839249 Mon Sep 17 00:00:00 2001
From: Daniel Roethlisberger <daniel@roe.ch>
Date: Mon, 13 Jan 2014 23:33:31 +0100
Subject: [PATCH] Enable SSL_MODE_RELEASE_BUFFERS by default

---
 GNUmakefile | 3 ---
 pxyconn.c   | 8 ++++----
 ssl.c       | 5 +++++
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/GNUmakefile b/GNUmakefile
index f60173c..9cb198f 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -1,8 +1,5 @@
 ### OpenSSL tweaking
 
-# Define to use dubious hacks to decrease OpenSSL memory consumption.
-#FEATURES+=	-DUSE_FOOTPRINT_HACKS
-
 # Define to disable server-mode SSL session caching for SSLv2 clients.
 # This is needed if SSL session resumption fails with a bufferevent error:
 # "illegal padding in SSL routines SSL2_READ_INTERNAL".
diff --git a/pxyconn.c b/pxyconn.c
index 68623db..20de50a 100644
--- a/pxyconn.c
+++ b/pxyconn.c
@@ -690,10 +690,10 @@ pxy_srcssl_create(pxy_conn_ctx_t *ctx, SSL *origssl)
 		ctx->enomem = 1;
 		return NULL;
 	}
-#ifdef USE_FOOTPRINT_HACKS
+#ifdef SSL_MODE_RELEASE_BUFFERS
 	/* lower memory footprint for idle connections */
 	SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS);
-#endif /* USE_FOOTPRINT_HACKS */
+#endif /* SSL_MODE_RELEASE_BUFFERS */
 	return ssl;
 }
 
@@ -833,10 +833,10 @@ pxy_dstssl_create(pxy_conn_ctx_t *ctx)
 	}
 #endif /* !OPENSSL_NO_TLSEXT */
 
-#if USE_FOOTPRINT_HACKS
+#ifdef SSL_MODE_RELEASE_BUFFERS
 	/* lower memory footprint for idle connections */
 	SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS);
-#endif /* USE_FOOTPRINT_HACKS */
+#endif /* SSL_MODE_RELEASE_BUFFERS */
 
 	/* session resuming based on remote endpoint address and port */
 	sess = cachemgr_dsess_get((struct sockaddr *)&ctx->addr,
diff --git a/ssl.c b/ssl.c
index a3d0b7e..07945c3 100644
--- a/ssl.c
+++ b/ssl.c
@@ -114,6 +114,11 @@ ssl_openssl_version(void)
 #else /* !OPENSSL_THREADS */
 	fprintf(stderr, "OpenSSL is not thread-safe\n");
 #endif /* !OPENSSL_THREADS */
+#ifdef SSL_MODE_RELEASE_BUFFERS
+	fprintf(stderr, "Using SSL_MODE_RELEASE_BUFFERS\n");
+#else /* !SSL_MODE_RELEASE_BUFFERS */
+	fprintf(stderr, "Not using SSL_MODE_RELEASE_BUFFERS\n");
+#endif /* !SSL_MODE_RELEASE_BUFFERS */
 #if (OPENSSL_VERSION_NUMBER == 0x100000bfL) || \
     (OPENSSL_VERSION_NUMBER == 0x1000105fL)
 	fprintf(stderr, "Using direct access workaround when loading certs\n");