Skip to content

Improve SSL performance by avoiding SSLWantReadError exception and using much faster checks whenever possible #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fantix merged 12 commits into from
Jan 30, 2026
Merged

Improve SSL performance by avoiding SSLWantReadError exception and using much faster checks whenever possible #629

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
f18d1a3
Refactor and optimize buffered reads
Sep 9, 2024
951e8df
Refactor ssl buffered reads
Sep 9, 2024
26ede3c
Fix tests
Sep 9, 2024
eb7ce66
WIP: still broken, seems it is not possible cause SSLObject.read is t…
Sep 9, 2024
473214b
Cleanup
Sep 11, 2024
62272e1
Fix comments
Sep 11, 2024
7b1f810
Cleanup
Sep 11, 2024
a73d44e
Cleanup
Sep 11, 2024
1078fc2
Remove unintented change
Sep 11, 2024
5971ab7
Merge branch 'master' into optimize_ssl_read_latency
fantix Jan 27, 2026
4434c63
Apply suggestions from PR review
Jan 27, 2026
27d0693
Merge branch 'master' into optimize_ssl_read_latency
tarasko Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions uvloop/sslproto.pxd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ cdef class SSLProtocol:
object _sslobj
object _sslobj_read
object _sslobj_write
object _sslobj_pending
object _incoming
object _incoming_write
object _outgoing
Expand Down
105 changes: 75 additions & 30 deletions uvloop/sslproto.pyx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,7 @@ cdef class SSLProtocol:
server_hostname=self._server_hostname)
self._sslobj_read = self._sslobj.read
self._sslobj_write = self._sslobj.write
self._sslobj_pending = self._sslobj.pending
except Exception as ex:
self._on_handshake_complete(ex)
else:
Expand Down Expand Up @@ -719,48 +720,91 @@ cdef class SSLProtocol:

cdef _do_read__buffered(self):
cdef:
Py_buffer pybuf
bint pybuf_inited = False
size_t wants, offset = 0
int count = 1
object buf
Py_ssize_t total_pending = (<Py_ssize_t>self._incoming.pending
+ <Py_ssize_t>self._sslobj_pending())
# Ask for a little extra in case when decrypted data is bigger than
# original
object app_buffer = self._app_protocol_get_buffer(
total_pending + 256)
Py_ssize_t app_buffer_size = len(app_buffer)

if app_buffer_size == 0:
return
Comment on lines +731 to +732
Copy link
Member

@fantix fantix Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, good catch! This fixes a false EOF bug in previous code I think. Would be nice to have a test!


buf = self._app_protocol_get_buffer(self._get_read_buffer_size())
wants = len(buf)
cdef:
Py_ssize_t last_bytes_read = -1
Py_ssize_t total_bytes_read = 0
Py_buffer pybuf
bint pybuf_initialized = False

try:
count = self._sslobj_read(wants, buf)

if count > 0:
offset = count
if offset < wants:
PyObject_GetBuffer(buf, &pybuf, PyBUF_WRITABLE)
pybuf_inited = True
while offset < wants:
buf = PyMemoryView_FromMemory(
(<char*>pybuf.buf) + offset,
wants - offset,
# SSLObject.read may not return all available data in one go.
# We have to keep calling read until it throw SSLWantReadError.
# However, throwing SSLWantReadError is very expensive even in
# the master trunk of cpython.
# See https://github.com/python/cpython/issues/123954

# One way to reduce reliance on SSLWantReadError is to check
# self._incoming.pending > 0 and SSLObject.pending() > 0.
# SSLObject.read may still throw SSLWantReadError even when
# self._incoming.pending > 0 SSLObject.pending() == 0,
# but this should happen relatively rarely, only when ssl frame
# is partially received.

# This optimization works really well especially for peers
# exchanging small messages and wanting to have minimal latency.

# self._incoming.pending means how much data hasn't
# been processed by ssl yet (read: "still encrypted"). The final
# unencrypted data size maybe different.

# self._sslobj.pending() means how much data has been already
# decrypted and can be directly read with SSLObject.read.

# Run test_create_server_ssl_over_ssl to reproduce different cases
# for this method.
while total_pending > 0:
if total_bytes_read > 0:
if not pybuf_initialized:
PyObject_GetBuffer(app_buffer, &pybuf, PyBUF_WRITABLE)
pybuf_initialized = True

app_buffer = PyMemoryView_FromMemory(
(<char*>pybuf.buf) + total_bytes_read,
app_buffer_size - total_bytes_read,
PyBUF_WRITE)
count = self._sslobj_read(wants - offset, buf)
if count > 0:
offset += count
else:
break
else:

last_bytes_read = <Py_ssize_t>self._sslobj_read(
app_buffer_size, app_buffer)
Copy link
Member

@fantix fantix Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
app_buffer_size, app_buffer)
app_buffer_size - total_bytes_read, app_buffer)

Copy link
Contributor Author

@tarasko tarasko Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good one. Fixed!

Copy link
Contributor Author

@tarasko tarasko Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, probably doesn't make a difference because SSLObject.read won't read more than the length of app_buffer and it is already app_buffer_size - total_bytes_read. I fixed it anyway for consistency

Copy link
Contributor Author

@tarasko tarasko Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this whole SSLWantWriteError from SSLObject.read is tricky.

I'm not 100% sure but I have the following assumption:

  1. Python ssl.MemoryBIO grows dynamically without fixed capacity, has no limit, write can only fail in case of system out-of-memory

  2. SSL_read_ex returns SSL_WANT_WRITE_ERROR when memory BIO runs out of memory, not when we just wrote something. So given (1) SSL_WANT_WRITE_ERROR may only happen when the system runs out of memory.

  3. SSL_read_ex does use its chance to write control stuff right after successful read before returning. link

total_bytes_read += last_bytes_read

if last_bytes_read == 0:
break

# User buffer may not fit all available data.
if total_bytes_read == app_buffer_size:
self._loop._call_soon_handle(
new_MethodHandle(self._loop,
"SSLProtocol._do_read",
<method_t>self._do_read,
<method_t> self._do_read,
None, # current context is good
self))
break

total_pending = (<Py_ssize_t>self._incoming.pending +
<Py_ssize_t>self._sslobj_pending())
except ssl_SSLAgainErrors as exc:
pass
finally:
if pybuf_inited:
if pybuf_initialized:
PyBuffer_Release(&pybuf)
if offset > 0:
self._app_protocol_buffer_updated(offset)
if not count:

if total_bytes_read > 0:
self._app_protocol_buffer_updated(total_bytes_read)

# SSLObject.read() may return 0 instead of throwing SSLWantReadError
# This indicates that we reached EOF
if last_bytes_read == 0:
# close_notify
self._call_eof_received()
self._start_shutdown()
Expand All @@ -772,7 +816,8 @@ cdef class SSLProtocol:
bint zero = True, one = False

try:
while True:
while (<Py_ssize_t>self._incoming.pending > 0 or
<Py_ssize_t>self._sslobj_pending() > 0):
chunk = self._sslobj_read(SSL_READ_MAX_SIZE)
if not chunk:
break
Expand Down
Loading