On Fri, May 13, 2005, Dan Trainor wrote:
> Good Morning, all -
>
> We are developing an application under openssl-0.9.7, and have had
> varying succses. Most of the problems we've been able to overcome, but
> we're kindof stumped on an element here.
>
> We're currently using the following to read a key from disk and use it
> in our application:
>
> SSL_CTX_use_certificate_file(my_ssl_ctx_save,"./SSL/pubcert.pem",SSL_FILETYPE_PEM);
> SSL_CTX_use_PrivateKey_file(my_ssl_ctx_save,"./SSL/privkey.pem",SSL_FILETYPE_PEM);
>
> This works, however, this method is extremely slow in our multi-threaded
> enviornment due to disk I/O. I was wondering if there was an alternate
> function that would read the data in the file stored in memory, useable
> by a function similar to SSL_CTX_use_certificate_file(), so that the
> application will not slow down due to disk I/O. I don't believe that
> this is possible with the current function because the file argument is
> of type const char *file.
>
> What about using an mmap()?
>
> I'm not a programmer, just an information whore, which is why I'm asking
> you guys if you've ever done anything like this, and how you overcame
> this problem. Any and all feedback would be greatly appreciated, and as
> I eat my lunch, I will think of you guys.
>
This is not hard to do. There are several ways to load certificates and
private keys into SSL_CTX structures. One way to is to pass the private key
and certificate structures (EVP_PKEY and X509) using SSL_CTX_use_privateKey()
and SSL_CTX_user_certificate() respectively.
The EVP_PKEY and X509 structures can be set from a number of functions such as
PEM_read_bio_{PrivateKey,X509} where the 'bio' can represent a memory buffer.
In outline something like this should work:
X509 *cert;
BIO *mem;
mem = BIO_new_mem_buf(buffer, bufferlen);
cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
SSL_CTX_use_certificate(ctx, cert);
That's omitting error checking and freeing up afterwards.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
