On Mon, Feb 21, 2005, Christian Kreibich wrote: > Hi all, > > > I have an application in which a "master" process creates a socket, > connects to a server app, and forks off a few children sharing the open > file descriptor for that connection with its children. All of the > children use the shared descriptor to send messages, synchronized > through shared memory + semaphores. I've left out a lot of details and > reasons for this approach, but you hopefully get the idea and it > suffices to say it works fine. > > Now I wonder what would be the easiest way to SSL-enable that scenario. > I do have SSL working fine in a single-process scenario but wonder how > well the concept of a file descriptor shared between processes > translates to BIOs. > > I'm assuming that open SSL BIOs cannot be shared across forks because > the SSL contexts in individual processes will get out of sync when > output is written from multiple processes, correct? > > At least this appears to match my observations, which are that SSL_read > on the server end dies with a return value of -1 and SSL_get_error > reports SSL_ERROR_SSL. > > So what is the easiest way to solve this -- is there an easy way to put > a single SSL connection's state into shared memory, or should I abandon > this approach and insist on all SSL communication on a single connection > being performed within the same process? > > Feedback will be much appreciated. >
OpenSSL hasn't been designed yo be used like that so you may well run into problems. It might not be desirable any way because all the chlildren woudl share the same session keys which would presumably be acessible to them. You could I suppose keep the current model and have a separate process that handles the SSL I/O as a kind of tunnel. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
