puma 5.1.1 → 5.3.1

data/docs/rails_dev_mode.md

@@ -0,0 +1,29 @@
+# Running Puma in Rails Development Mode
+
+## "Loopback requests" 
+
+Be cautious of "loopback requests", where a Rails application executes a request to a server that in turn, results in another request back to the same Rails application before the first request is completed. Having a loopback request will trigger [Rails' load interlock](https://guides.rubyonrails.org/threading_and_code_execution.html#load-interlock) mechanism. The load interlock mechanism prevents a thread from using Rails autoloading mechanism to load constants while the application code is still running inside another thread.
+
+This issue only occurs in the development environment as Rails' load interlock is not used in production environments. Although we're not sure, we believe this issue may not occur with the new `zeitwerk` code loader.
+
+### Solutions
+
+
+#### 1. Bypass Rails' load interlock with `.permit_concurrent_loads`
+
+Wrap the first request inside a block that will allow concurrent loads, [`ActiveSupport::Dependencies.interlock.permit_concurrent_loads`](https://guides.rubyonrails.org/threading_and_code_execution.html#permit-concurrent-loads). Anything wrapped inside the `.permit_concurrent_loads` block will bypass the load interlock mechanism, allowing new threads to access the Rails environment and boot properly. 
+
+###### Example 
+
+```ruby
+response = ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
+  # Your HTTP request code here. For example:
+  Faraday.post url, data: 'foo'
+end
+
+do_something_with response
+```
+
+####  2. Use multiple processes on Puma
+
+Alternatively, you may also enable multiple (single-threaded) workers on Puma. By doing so, you are sidestepping the problem by creating multiple processes rather than new threads. However, this workaround is not ideal because debugging tools such as [byebug](https://github.com/deivid-rodriguez/byebug/issues/487) and [pry](https://github.com/pry/pry/issues/2153), work poorly with any multi-process web server. 

data/docs/restart.md

@@ -45,7 +45,7 @@ Any of the following will cause a Puma server to perform a phased restart:
 ### Supported configurations
 
 * Works in cluster mode only
-* To support upgrading the application that Puma is serving, ensure `prune_bundler` is enabled and that `preload_app` is disabled (it is disabled by default).
+* To support upgrading the application that Puma is serving, ensure `prune_bundler` is enabled and that `preload_app!` is disabled
 * Supported on all platforms where cluster mode is supported
 
 ### Client experience

data/docs/stats.md

@@ -0,0 +1,142 @@
+## accessing stats
+
+Stats can be accessed in two ways:
+
+### control server
+
+`$ pumactl stats` or `GET /stats`
+
+[Read more about `pumactl` and the control server in the README.](https://github.com/puma/puma#controlstatus-server).
+
+### Puma.stats
+
+`Puma.stats` produces a JSON string. `Puma.stats_hash` produces a ruby hash.
+
+#### in single mode
+
+Invoke `Puma.stats` anywhere in runtime, e.g. in a rails initializer:
+
+```ruby
+# config/initializers/puma_stats.rb
+
+Thread.new do
+  loop do
+    sleep 30
+    puts Puma.stats
+  end
+end
+```
+
+#### in cluster mode
+
+Invoke `Puma.stats` from the master process
+
+```ruby
+# config/puma.rb
+
+before_fork do
+  Thread.new do
+    loop do
+      puts Puma.stats
+      sleep 30
+    end
+  end
+end
+```
+
+
+## Explanation of stats
+
+`Puma.stats` returns different information and a different structure depending on if Puma is in single vs cluster mode. There is one top-level attribute that is common to both modes:
+
+* started_at: when puma was started
+
+### single mode and individual workers in cluster mode
+
+When Puma is run in single mode, these stats are available at the top level. When Puma is run in cluster mode, these stats are available within the `worker_status` array in a hash labeled `last_status`, in an array of hashes, one hash for each worker.
+
+* backlog: requests that are waiting for an available thread to be available. if this is above 0, you need more capacity [always true?]
+* running: how many threads are running
+* pool_capacity: the number of requests that the server is capable of taking right now. For example if the number is 5 then it means there are 5 threads sitting idle ready to take a request. If one request comes in, then the value would be 4 until it finishes processing. If the minimum threads allowed is zero, this number will still have a maximum value of the maximum threads allowed.
+* max_threads: the maximum number of threads puma is configured to spool up per worker 
+* requests_count: the number of requests this worker has served since starting
+
+
+### cluster mode
+
+* phase: which phase of restart the process is in, during [phased restart](https://github.com/puma/puma/blob/master/docs/restart.md)
+* workers: ??
+* booted_workers: how many workers currently running?
+* old_workers: ??
+* worker_status: array of hashes of info for each worker (see below)
+
+### worker status
+
+* started_at: when the worker was started
+* pid: the process id of the worker process
+* index: each worker gets a number. if puma is configured to have 3 workers, then this will be 0, 1, or 2
+* booted: if it's done booting [?]
+* last_checkin: Last time the worker responded to the master process' heartbeat check.
+* last_status: a hash of info about the worker's state handling requests. See the explanation for this in "single mode and individual workers in cluster mode" section above.
+
+
+## Examples
+
+Here are two example stats hashes produced by `Puma.stats`:
+
+### single
+
+```json
+{
+  "started_at": "2021-01-14T07:12:35Z",
+  "backlog": 0,
+  "running": 5,
+  "pool_capacity": 5,
+  "max_threads": 5,
+  "requests_count": 3
+}
+```
+
+### cluster
+
+```json
+{
+  "started_at": "2021-01-14T07:09:17Z",
+  "workers": 2,
+  "phase": 0,
+  "booted_workers": 2,
+  "old_workers": 0,
+  "worker_status": [
+    {
+      "started_at": "2021-01-14T07:09:24Z",
+      "pid": 64136,
+      "index": 0,
+      "phase": 0,
+      "booted": true,
+      "last_checkin": "2021-01-14T07:11:09Z",
+      "last_status": {
+        "backlog": 0,
+        "running": 5,
+        "pool_capacity": 5,
+        "max_threads": 5,
+        "requests_count": 2
+      }
+    },
+    {
+      "started_at": "2021-01-14T07:09:24Z",
+      "pid": 64137,
+      "index": 1,
+      "phase": 0,
+      "booted": true,
+      "last_checkin": "2021-01-14T07:11:09Z",
+      "last_status": {
+        "backlog": 0,
+        "running": 5,
+        "pool_capacity": 5,
+        "max_threads": 5,
+        "requests_count": 1
+      }
+    }
+  ]
+}
+```

data/docs/systemd.md

@@ -8,7 +8,7 @@ useful features for running Puma in production.
 ## Service Configuration
 
 Below is a sample puma.service configuration file for systemd, which
-can be copied or symlinked to /etc/systemd/system/puma.service, or if
+can be copied or symlinked to `/etc/systemd/system/puma.service`, or if
 desired, using an application or instance specific name.
 
 Note that this uses the systemd preferred "simple" type where the

data/ext/puma_http11/extconf.rb

@@ -22,6 +22,20 @@ unless ENV["DISABLE_SSL"]
     # below are yes for 1.1.0 & later
     have_func  "TLS_server_method"                     , "openssl/ssl.h"
     have_func  "SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h"
+
+    have_func  "X509_STORE_up_ref"
+    have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
+  end
+end
+
+if ENV["MAKE_WARNINGS_INTO_ERRORS"]
+  # Make all warnings into errors
+  # Except `implicit-fallthrough` since most failures comes from ragel state machine generated code
+  if respond_to? :append_cflags
+    append_cflags config_string 'WERRORFLAG'
+    append_cflags '-Wno-implicit-fallthrough'
+  else
+    $CFLAGS += ' ' << (config_string 'WERRORFLAG') << ' -Wno-implicit-fallthrough'
   end
 end
 

data/ext/puma_http11/http11_parser.c

@@ -43,15 +43,13 @@ static const int puma_parser_start = 1;
 static const int puma_parser_first_final = 46;
 static const int puma_parser_error = 0;
 
-static const int puma_parser_en_main = 1;
-
 
 #line 85 "ext/puma_http11/http11_parser.rl"
 
 int puma_parser_init(puma_parser *parser)  {
   int cs = 0;
   
-#line 55 "ext/puma_http11/http11_parser.c"
+#line 53 "ext/puma_http11/http11_parser.c"
 	{
 	cs = puma_parser_start;
 	}
@@ -85,7 +83,7 @@ size_t puma_parser_execute(puma_parser *parser, const char *buffer, size_t len,
   assert((size_t) (pe - p) == len - off && "pointers aren't same distance");
 
   
-#line 89 "ext/puma_http11/http11_parser.c"
+#line 87 "ext/puma_http11/http11_parser.c"
 	{
 	if ( p == pe )
 		goto _test_eof;
@@ -116,7 +114,7 @@ st2:
 	if ( ++p == pe )
 		goto _test_eof2;
 case 2:
-#line 120 "ext/puma_http11/http11_parser.c"
+#line 118 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr2;
 		case 36: goto st27;
@@ -141,7 +139,7 @@ st3:
 	if ( ++p == pe )
 		goto _test_eof3;
 case 3:
-#line 145 "ext/puma_http11/http11_parser.c"
+#line 143 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 42: goto tr4;
 		case 43: goto tr5;
@@ -165,7 +163,7 @@ st4:
 	if ( ++p == pe )
 		goto _test_eof4;
 case 4:
-#line 169 "ext/puma_http11/http11_parser.c"
+#line 167 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr8;
 		case 35: goto tr9;
@@ -227,7 +225,7 @@ st5:
 	if ( ++p == pe )
 		goto _test_eof5;
 case 5:
-#line 231 "ext/puma_http11/http11_parser.c"
+#line 229 "ext/puma_http11/http11_parser.c"
 	if ( (*p) == 72 )
 		goto tr10;
 	goto st0;
@@ -239,7 +237,7 @@ st6:
 	if ( ++p == pe )
 		goto _test_eof6;
 case 6:
-#line 243 "ext/puma_http11/http11_parser.c"
+#line 241 "ext/puma_http11/http11_parser.c"
 	if ( (*p) == 84 )
 		goto st7;
 	goto st0;
@@ -320,7 +318,7 @@ st14:
 	if ( ++p == pe )
 		goto _test_eof14;
 case 14:
-#line 324 "ext/puma_http11/http11_parser.c"
+#line 322 "ext/puma_http11/http11_parser.c"
 	if ( (*p) == 10 )
 		goto st15;
 	goto st0;
@@ -371,7 +369,7 @@ st46:
 	if ( ++p == pe )
 		goto _test_eof46;
 case 46:
-#line 375 "ext/puma_http11/http11_parser.c"
+#line 373 "ext/puma_http11/http11_parser.c"
 	goto st0;
 tr21:
 #line 40 "ext/puma_http11/http11_parser.rl"
@@ -387,7 +385,7 @@ st17:
 	if ( ++p == pe )
 		goto _test_eof17;
 case 17:
-#line 391 "ext/puma_http11/http11_parser.c"
+#line 389 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 33: goto tr23;
 		case 58: goto tr24;
@@ -426,7 +424,7 @@ st18:
 	if ( ++p == pe )
 		goto _test_eof18;
 case 18:
-#line 430 "ext/puma_http11/http11_parser.c"
+#line 428 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 13: goto tr26;
 		case 32: goto tr27;
@@ -440,7 +438,7 @@ st19:
 	if ( ++p == pe )
 		goto _test_eof19;
 case 19:
-#line 444 "ext/puma_http11/http11_parser.c"
+#line 442 "ext/puma_http11/http11_parser.c"
 	if ( (*p) == 13 )
 		goto tr29;
 	goto st19;
@@ -486,7 +484,7 @@ st20:
 	if ( ++p == pe )
 		goto _test_eof20;
 case 20:
-#line 490 "ext/puma_http11/http11_parser.c"
+#line 488 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr31;
 		case 60: goto st0;
@@ -507,7 +505,7 @@ st21:
 	if ( ++p == pe )
 		goto _test_eof21;
 case 21:
-#line 511 "ext/puma_http11/http11_parser.c"
+#line 509 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr33;
 		case 60: goto st0;
@@ -528,7 +526,7 @@ st22:
 	if ( ++p == pe )
 		goto _test_eof22;
 case 22:
-#line 532 "ext/puma_http11/http11_parser.c"
+#line 530 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 43: goto st22;
 		case 58: goto st23;
@@ -553,7 +551,7 @@ st23:
 	if ( ++p == pe )
 		goto _test_eof23;
 case 23:
-#line 557 "ext/puma_http11/http11_parser.c"
+#line 555 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr8;
 		case 34: goto st0;
@@ -573,7 +571,7 @@ st24:
 	if ( ++p == pe )
 		goto _test_eof24;
 case 24:
-#line 577 "ext/puma_http11/http11_parser.c"
+#line 575 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr37;
 		case 34: goto st0;
@@ -596,7 +594,7 @@ st25:
 	if ( ++p == pe )
 		goto _test_eof25;
 case 25:
-#line 600 "ext/puma_http11/http11_parser.c"
+#line 598 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr41;
 		case 34: goto st0;
@@ -616,7 +614,7 @@ st26:
 	if ( ++p == pe )
 		goto _test_eof26;
 case 26:
-#line 620 "ext/puma_http11/http11_parser.c"
+#line 618 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr44;
 		case 34: goto st0;

data/ext/puma_http11/http11_parser.h

@@ -29,8 +29,8 @@ typedef void (*field_cb)(struct puma_parser* hp,
 
 typedef struct puma_parser {
   int cs;
-  size_t body_start;
   int content_len;
+  size_t body_start;
   size_t nread;
   size_t mark;
   size_t field_start;

data/ext/puma_http11/http11_parser.java.rl

@@ -58,7 +58,7 @@ public class Http11Parser {
 }%%
 
 /** Data **/
-%% write data;
+%% write data noentry;
 
    public static interface ElementCB {
      public void call(Ruby runtime, RubyHash data, ByteList buffer, int at, int length);

data/ext/puma_http11/http11_parser.rl

@@ -81,7 +81,7 @@ static void snake_upcase_char(char *c)
 }%%
 
 /** Data **/
-%% write data;
+%% write data noentry;
 
 int puma_parser_init(puma_parser *parser)  {
   int cs = 0;

data/ext/puma_http11/mini_ssl.c

@@ -28,6 +28,8 @@ typedef struct {
   int bytes;
 } ms_cert_buf;
 
+VALUE eError;
+
 void engine_free(void *ptr) {
   ms_conn *conn = ptr;
   ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
@@ -47,61 +49,65 @@ const rb_data_type_t engine_data_type = {
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
 
-ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
-  ms_conn* conn;
-
-  *obj = TypedData_Make_Struct(klass, ms_conn, &engine_data_type, conn);
-
-  conn->read = BIO_new(BIO_s_mem());
-  BIO_set_nbio(conn->read, 1);
-
-  conn->write = BIO_new(BIO_s_mem());
-  BIO_set_nbio(conn->write, 1);
-
-  conn->ssl = 0;
-  conn->ctx = 0;
-
-  return conn;
-}
-
-DH *get_dh1024() {
-  /* `openssl dhparam 1024 -C`
+DH *get_dh2048() {
+  /* `openssl dhparam -C 2048`
    * -----BEGIN DH PARAMETERS-----
-   * MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk
-   * usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+
-   * KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC
+   * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o
+   * 2NPNXqxHwsddMZ1RzvU8/jl+uhRuPWjXCFZbhET4N1vrviZM3VJhV8PPHuiVOACO
+   * y32jFd+Szx4bo2cXSK83hJ6jRd+0asP1awWjz9/06dFkrILCXMIfQLo0D8rqmppn
+   * EfDDAwuudCpM9kcDmBRAm9JsKbQ6gzZWjkc5+QWSaQofojIHbjvj3xzguaCJn+oQ
+   * vHWM+hsAnaOgEwCyeZ3xqs+/5lwSbkE/tqJW98cEZGygBUVo9jxZRZx6KOfjpdrb
+   * yenO9LJr/qtyrZB31WJbqxI0m0AKTAO8UwIBAg==
    * -----END DH PARAMETERS-----
    */
-  static unsigned char dh1024_p[] = {
-    0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C,
-    0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5,
-    0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E,
-    0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74,
-    0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0,
-    0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4,
-    0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0,
-    0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1,
-    0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71,
-    0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67,
-    0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B
+  static unsigned char dh2048_p[] = {
+    0x8E, 0x68, 0x75, 0xB9, 0x01, 0xDD, 0x4D, 0xFC, 0x4E, 0xCB,
+    0x11, 0x1B, 0x28, 0x05, 0x77, 0xD1, 0xF5, 0x1F, 0xCE, 0xA3,
+    0x03, 0x17, 0xF0, 0xA1, 0x3F, 0x38, 0xDF, 0xCB, 0x39, 0x76,
+    0x8D, 0xCA, 0xEA, 0x40, 0xC8, 0x6B, 0x93, 0xBE, 0xA8, 0xD8,
+    0xD3, 0xCD, 0x5E, 0xAC, 0x47, 0xC2, 0xC7, 0x5D, 0x31, 0x9D,
+    0x51, 0xCE, 0xF5, 0x3C, 0xFE, 0x39, 0x7E, 0xBA, 0x14, 0x6E,
+    0x3D, 0x68, 0xD7, 0x08, 0x56, 0x5B, 0x84, 0x44, 0xF8, 0x37,
+    0x5B, 0xEB, 0xBE, 0x26, 0x4C, 0xDD, 0x52, 0x61, 0x57, 0xC3,
+    0xCF, 0x1E, 0xE8, 0x95, 0x38, 0x00, 0x8E, 0xCB, 0x7D, 0xA3,
+    0x15, 0xDF, 0x92, 0xCF, 0x1E, 0x1B, 0xA3, 0x67, 0x17, 0x48,
+    0xAF, 0x37, 0x84, 0x9E, 0xA3, 0x45, 0xDF, 0xB4, 0x6A, 0xC3,
+    0xF5, 0x6B, 0x05, 0xA3, 0xCF, 0xDF, 0xF4, 0xE9, 0xD1, 0x64,
+    0xAC, 0x82, 0xC2, 0x5C, 0xC2, 0x1F, 0x40, 0xBA, 0x34, 0x0F,
+    0xCA, 0xEA, 0x9A, 0x9A, 0x67, 0x11, 0xF0, 0xC3, 0x03, 0x0B,
+    0xAE, 0x74, 0x2A, 0x4C, 0xF6, 0x47, 0x03, 0x98, 0x14, 0x40,
+    0x9B, 0xD2, 0x6C, 0x29, 0xB4, 0x3A, 0x83, 0x36, 0x56, 0x8E,
+    0x47, 0x39, 0xF9, 0x05, 0x92, 0x69, 0x0A, 0x1F, 0xA2, 0x32,
+    0x07, 0x6E, 0x3B, 0xE3, 0xDF, 0x1C, 0xE0, 0xB9, 0xA0, 0x89,
+    0x9F, 0xEA, 0x10, 0xBC, 0x75, 0x8C, 0xFA, 0x1B, 0x00, 0x9D,
+    0xA3, 0xA0, 0x13, 0x00, 0xB2, 0x79, 0x9D, 0xF1, 0xAA, 0xCF,
+    0xBF, 0xE6, 0x5C, 0x12, 0x6E, 0x41, 0x3F, 0xB6, 0xA2, 0x56,
+    0xF7, 0xC7, 0x04, 0x64, 0x6C, 0xA0, 0x05, 0x45, 0x68, 0xF6,
+    0x3C, 0x59, 0x45, 0x9C, 0x7A, 0x28, 0xE7, 0xE3, 0xA5, 0xDA,
+    0xDB, 0xC9, 0xE9, 0xCE, 0xF4, 0xB2, 0x6B, 0xFE, 0xAB, 0x72,
+    0xAD, 0x90, 0x77, 0xD5, 0x62, 0x5B, 0xAB, 0x12, 0x34, 0x9B,
+    0x40, 0x0A, 0x4C, 0x03, 0xBC, 0x53
   };
-  static unsigned char dh1024_g[] = { 0x02 };
+  static unsigned char dh2048_g[] = { 0x02 };
 
   DH *dh;
+#if !(OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER))
+  BIGNUM *p, *g;
+#endif
+
   dh = DH_new();
 
 #if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
-  dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-  dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+  dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
 
   if ((dh->p == NULL) || (dh->g == NULL)) {
     DH_free(dh);
     return NULL;
   }
 #else
-  BIGNUM *p, *g;
-  p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-  g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+  p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
 
   if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
     DH_free(dh);
@@ -114,6 +120,37 @@ DH *get_dh1024() {
   return dh;
 }
 
+static void
+sslctx_free(void *ptr) {
+  SSL_CTX *ctx = ptr;
+  SSL_CTX_free(ctx);
+}
+
+static const rb_data_type_t sslctx_type = {
+  "MiniSSL/SSLContext",
+  {
+    0, sslctx_free,
+  },
+  0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
+  ms_conn* conn;
+
+  *obj = TypedData_Make_Struct(klass, ms_conn, &engine_data_type, conn);
+
+  conn->read = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->read, 1);
+
+  conn->write = BIO_new(BIO_s_mem());
+  BIO_set_nbio(conn->write, 1);
+
+  conn->ssl = 0;
+  conn->ctx = 0;
+
+  return conn;
+}
+
 static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   X509* err_cert;
   SSL* ssl;
@@ -140,49 +177,73 @@ static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   return preverify_ok;
 }
 
-VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
-  VALUE obj;
+static VALUE
+sslctx_alloc(VALUE klass) {
+  SSL_CTX *ctx;
+  long mode = 0 |
+    SSL_MODE_ENABLE_PARTIAL_WRITE |
+    SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+    SSL_MODE_RELEASE_BUFFERS;
+
+#ifdef HAVE_TLS_SERVER_METHOD
+  ctx = SSL_CTX_new(TLS_method());
+  // printf("\nctx using TLS_method security_level %d\n", SSL_CTX_get_security_level(ctx));
+#else
+  ctx = SSL_CTX_new(SSLv23_method());
+#endif
+  if (!ctx) {
+    rb_raise(eError, "SSL_CTX_new");
+  }
+  SSL_CTX_set_mode(ctx, mode);
+
+  return TypedData_Wrap_Struct(klass, &sslctx_type, ctx);
+}
+
+VALUE
+sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   SSL_CTX* ctx;
-  SSL* ssl;
-  int min, ssl_options;
 
-  ms_conn* conn = engine_alloc(self, &obj);
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+  int min;
+#endif
+  int ssl_options;
+  VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
+    verification_flags;
+  DH *dh;
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  EC_KEY *ecdh;
+#endif
 
-  ID sym_key = rb_intern("key");
-  VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0);
+  TypedData_Get_Struct(self, SSL_CTX, &sslctx_type, ctx);
 
+  key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
   StringValue(key);
 
-  ID sym_cert = rb_intern("cert");
-  VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
-
+  cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
   StringValue(cert);
 
-  ID sym_ca = rb_intern("ca");
-  VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
+  ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
 
-  ID sym_verify_mode = rb_intern("verify_mode");
-  VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
+  verify_mode = rb_funcall(mini_ssl_ctx, rb_intern_const("verify_mode"), 0);
 
-  ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter");
-  VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0);
+  ssl_cipher_filter = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_cipher_filter"), 0);
 
-  ID sym_no_tlsv1 = rb_intern("no_tlsv1");
-  VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0);
+  no_tlsv1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1"), 0);
 
-  ID sym_no_tlsv1_1 = rb_intern("no_tlsv1_1");
-  VALUE no_tlsv1_1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1_1, 0);
-
-#ifdef HAVE_TLS_SERVER_METHOD
-  ctx = SSL_CTX_new(TLS_server_method());
-#else
-  ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
-  conn->ctx = ctx;
+  no_tlsv1_1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1_1"), 0);
 
   SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
   SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
 
+  verification_flags = rb_funcall(mini_ssl_ctx, rb_intern_const("verification_flags"), 0);
+
+  if (!NIL_P(verification_flags)) {
+    X509_VERIFY_PARAM *param = SSL_CTX_get0_param(ctx);
+    X509_VERIFY_PARAM_set_flags(param, NUM2INT(verification_flags));
+    SSL_CTX_set1_param(ctx, param);
+  }
+
   if (!NIL_P(ca)) {
     StringValue(ca);
     SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
@@ -228,35 +289,45 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
     SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
   }
 
-  DH *dh = get_dh1024();
+  dh = get_dh2048();
   SSL_CTX_set_tmp_dh(ctx, dh);
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
   // Remove this case if OpenSSL 1.0.1 (now EOL) support is no
   // longer needed.
-  EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
   if (ecdh) {
     SSL_CTX_set_tmp_ecdh(ctx, ecdh);
     EC_KEY_free(ecdh);
   }
 #elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-  // Prior to OpenSSL 1.1.0, servers must manually enable server-side ECDH
-  // negotiation.
   SSL_CTX_set_ecdh_auto(ctx, 1);
 #endif
 
-  ssl = SSL_new(ctx);
-  conn->ssl = ssl;
-  SSL_set_app_data(ssl, NULL);
-
   if (NIL_P(verify_mode)) {
-    /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
+    /* SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); */
   } else {
-    SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
+    SSL_CTX_set_verify(ctx, NUM2INT(verify_mode), engine_verify_callback);
   }
+  // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
+  rb_obj_freeze(self);
+  return self;
+}
 
-  SSL_set_bio(ssl, conn->read, conn->write);
+VALUE engine_init_server(VALUE self, VALUE sslctx) {
+  ms_conn* conn;
+  VALUE obj;
+  SSL_CTX* ctx;
+  SSL* ssl;
+
+  conn = engine_alloc(self, &obj);
+
+  TypedData_Get_Struct(sslctx, SSL_CTX, &sslctx_type, ctx);
 
+  ssl = SSL_new(ctx);
+  conn->ssl = ssl;
+  SSL_set_app_data(ssl, NULL);
+  SSL_set_bio(ssl, conn->read, conn->write);
   SSL_set_accept_state(ssl);
   return obj;
 }
@@ -296,7 +367,7 @@ VALUE engine_inject(VALUE self, VALUE str) {
   return INT2FIX(used);
 }
 
-static VALUE eError;
+NORETURN(void raise_error(SSL* ssl, int result));
 
 void raise_error(SSL* ssl, int result) {
   char buf[512];
@@ -320,8 +391,7 @@ void raise_error(SSL* ssl, int result) {
     } else {
       err = (int) ERR_get_error();
       ERR_error_string_n(err, buf, sizeof(buf));
-      int errexp = err & mask;
-      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, errexp);
+      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err & mask);
     }
   } else {
     snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
@@ -385,7 +455,9 @@ VALUE engine_extract(VALUE self) {
   ms_conn* conn;
   int bytes;
   size_t pending;
-  char buf[512];
+  // https://www.openssl.org/docs/manmaster/man3/BIO_f_buffer.html
+  // crypto/bio/bf_buff.c DEFAULT_BUFFER_SIZE
+  char buf[4096];
 
   TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
@@ -480,7 +552,7 @@ VALUE noop(VALUE self) {
 }
 
 void Init_mini_ssl(VALUE puma) {
-  VALUE mod, eng;
+  VALUE mod, eng, sslctx;
 
 /* Fake operation for documentation (RDoc, YARD) */
 #if 0 == 1
@@ -494,6 +566,11 @@ void Init_mini_ssl(VALUE puma) {
 
   mod = rb_define_module_under(puma, "MiniSSL");
   eng = rb_define_class_under(mod, "Engine", rb_cObject);
+  sslctx = rb_define_class_under(mod, "SSLContext", rb_cObject);
+  rb_define_alloc_func(sslctx, sslctx_alloc);
+  rb_define_method(sslctx, "initialize", sslctx_initialize, 1);
+  rb_undef_method(sslctx, "initialize_copy");
+
 
   // OpenSSL Build / Runtime/Load versions
 
@@ -552,9 +629,10 @@ void Init_mini_ssl(VALUE puma) {
 
 #else
 
+NORETURN(VALUE raise_error(VALUE self));
+
 VALUE raise_error(VALUE self) {
   rb_raise(rb_eStandardError, "SSL not available in this build");
-  return Qnil;
 }
 
 void Init_mini_ssl(VALUE puma) {