- max_space = max_buf - BIO_ctrl_pending (oc->rbio);
- max_space = (max_space < 0) ? 0 : max_space;
- deq_now = clib_min (deq_max, (u32) max_space);
- to_write = clib_min (svm_fifo_max_read_chunk (f), deq_now);
- wrote = SSL_write (oc->ssl, svm_fifo_head (f), to_write);
- if (wrote <= 0)
+ deq_max = clib_min (deq_max, sp->max_burst_size);
+
+ /* Make sure tcp's tx fifo can actually buffer all bytes to be dequeued.
+ * If under memory pressure, tls's fifo segment might not be able to
+ * allocate the chunks needed. This also avoids errors from the underlying
+ * custom bio to the ssl infra which at times can get stuck. */
+ if (svm_fifo_provision_chunks (ts->tx_fifo, 0, 0, deq_max + TLSO_CTRL_BYTES))
+ goto check_tls_fifo;
+
+ wrote = openssl_write_from_fifo_into_ssl (f, oc->ssl, deq_max);
+ if (!wrote)
+ goto check_tls_fifo;
+
+ if (svm_fifo_needs_deq_ntf (f, wrote))
+ session_dequeue_notify (app_session);
+
+check_tls_fifo:
+
+ if (PREDICT_FALSE (ctx->app_closed && BIO_ctrl_pending (oc->rbio) <= 0))
+ openssl_confirm_app_close (ctx);
+
+ /* Deschedule and wait for deq notification if fifo is almost full */
+ enq_buf = clib_min (svm_fifo_size (ts->tx_fifo) / 2, TLSO_MIN_ENQ_SPACE);
+ if (space < wrote + enq_buf)