Hi,we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching option to not cache CRLs. I was trying to adapt this patch for httpd-trunk and eventually include it upstream but now I'm in dead end.
The patch removes all the CRLs from the per-server_rec OpenSSL cache created in ssl_init_ctx_crl (OpenSSL caches the CRLs in X509_store.objs). This all works properly, but I'm thinking about thread-safety.
The theoretical problem can happen when something gets the pointer to CRL from the cache, my code removes the CRL from the cache and deletes it and the original code starts using the pointer, which is now pointing to deleted object.
I have seen X509_OBJECT.references variable, which could help me a lot here (I could just decrease the refcount instead of deleting), but it seems this is not used anywhere in OpenSSL, so it's actually useless. Does anyone know if that's really true or I'm just missing something?
I'm looking for someone to review that code (maybe I'm not right with the thread-safety problem) or advise me the way to move further (if there's any).
Thanks, Jan Kaluza
httpd-trunk-disable-crl.patch
Description: application/download
