I'm implementing a multithreaded server using OpenSSL. Yes, you can create
one context
to be used among all threads. As far as synchronization, there is a
"threads" manual page
somewhere under www.openssl.org (which appears to be down at the moment, or
I'd be
more precise) that describes the issues. The FAQ gives a link to it.
You do need to learn about the following:
CRYPTO_num_locks()
CRYPTO_set_locking_callback()
CRYPTO_set_id_callback()
Having said that, the "threads" man page says that the above must be used
for any application that uses OpenSSL in multiple threads. But my cursory
examination of the source code implies that they are only utilized when you
explicitly use the session management routines, which I am not. Preferring
to be over-safe than under-safe, I am using them.
Glover Barker
Eric Rescorla
<[EMAIL PROTECTED]> To:
Sent by: [EMAIL PROTECTED]
owner-openssl-users@o cc:
penssl.org Subject: Re: Newbie dev
questions
12/04/2001 03:24 PM
Please respond to
openssl-users
"Tim Pushor" <[EMAIL PROTECTED]> writes:
> I am following the 'Introduction to OpenSSL programming' found at
rtfm.com.
> I am having no trouble understanding the concepts within, but have a few
> questions:
>
> 1) My application is multithreaded (using pthreads) and each thread will
> make a new SSL connection. Can I create the global SSL context in the
main
> thread, and then use it in each worker thread to generate the individual
> connections? Is there any synchronization necessary?
As far as I know, the rule is that you cannot use a single SSL object
in more than one thread but that you can share an SSL_CTX as long
as you've compiled OpenSSL in threaded mode. However, I'd like to
see someone who's actually done OpenSSL thread programming weigh in :)
> 2) I need to use nonblocking IO for reads and writes (to handle timeouts
> mainly). The introduction does not cover that :( is there anywhere I can
see
> a (hopfully simple) implementation of nonblocking IO?
Actually, part II does cover that. I haven't had time to typeset it in
PDF but it's available on the Linux Journal web site at:
http://www.linuxjournal.com/article.php?sid=5487
> or is there a
> mechinism inside OpenSSL to handle read/write timeouts?
No. You have to do it yourself.
> 3) I don't care about client authentication, or about server CA
> verification. Can I just set the verify depth to 0 in the global SSL
> context?
This is a bad bad idea because it leaves you open to active attack.
However, it's not done by setting the verify depth to zero.
Just leave the SSL ctx as it is and don't check whether verification
succeeded or not. If you look at my code in wclient you can see
how this works:
if(require_server_auth)
check_cert(ssl,host);
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
