Hi, On 10/19/2015 05:01 PM, Willy Tarreau wrote: >> [1] https://www.mail-archive.com/[email protected]/msg19962.html >> [2] https://www.mail-archive.com/[email protected]/msg19995.html > > Regarding the second one, maybe RĂ©mi's review could help. I noticed that > you used gen_ssl_ctx_ptr_index = -1 which is the same value used for > dh_params. Based on its name it makes me think it's a position in an > array, so I'm not sure whether we can make them collide for example. I > really don't know this API at all.
I am not familiar with the generated certificate cache, so I will just comment on the use of SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() in the second patch, at least for now. The value of gen_ssl_ctx_ptr_index is correctly initialized to -1, and a valid index is then obtained by calling SSL_CTX_get_ex_new_index() in the __ssl_sock_init() constructor, so there should not be any collision with other indexes. My only minor remark is that, though unlikely, SSL_CTX_get_ex_new_index() might return -1 in case of error. In the DH code we handle this by checking that ssl_dh_ptr_index is != -1 before using it, and I think it would be better to do the same check before using gen_ssl_ctx_ptr_index. Kind regards, Remi
signature.asc
Description: OpenPGP digital signature
