Darryl Miles wrote: > Frank wrote: >> William A. Rowe, Jr. wrote: >>> Nick Kew wrote: >>> [...] >>> An SSL_CTX can't be cross-threaded. If the scope of use of that CTX is >>> restricted to one thread at a time, then yes, OpenSSL has been >>> threadsafe >>> for a very very long time. >> >> You mean if I were able to create one SSL_CTX for every thread then I >> do not have to use the both thread-safe-maker callbacks?
YOU don't have to set it because they are one time things, and mod_ssl establishes them for you running in a threaded MPM such as worker, or winnt. You may dig your fingers into the SSL_CTX apache uses, or create your own. If you f with the callbacks, you will blow up apache. Let mod_ssl+the MPM handle that please. > I dont think this is true. But correct my understanding too if I am > wrong. Cross-threaded might confuse someone into thinking there maybe > some "apartment threading rules" to obey, there isn't. > > "An SSL *" can't have a method invoked on the same instance at the same > time. So long as you serialize your method calls (SSL_xxxx() family) to > that same instance; any thread can call that method. It is unusual to > need to do so. > > But "SSL_CTX *" is the template context specifically designed to be > shared and used across multiple-threads if needs be, providing you make > correct use of the 'CRYPTO_set_locking_callback' and > 'CRYPTO_set_id_callback' and friends as part of your application > initialization. This allows for (amongst other things) the obviously > parallel usage of SSL_new(SSL_CTX *) when creating new connections. Good summary. I believe I misspoke, the individual SSL_XXX objects aren't thread safe (instead they are fast) but the overall SSL_CTX object is. > Maybe the openssl-users list would be a better place for assistance. Agreed
