Re: Does OpenSSL have any plans of supporting SSL_read / SSL_write on the same SSL_S from multiple threads?

Mon, 27 Sep 2010 15:06:47 -0700 

On 9/25/2010 9:31 AM, Jayaraghavendran k wrote:


(a) Does OpenSSL plan to support this feature in any of it's future
releases? (Or does any of the releases already support it? I went
through the Change Logs, but couldn't find anything), If no, why not?



I can't answer whether there are any plans, but I doubt it. The reason 
not to is that the library is not the right place to implement that kind 
of logic.



(b) As far as I understand, the main problem with the parallel
SSL_read / SSL_write is renegotiation, i.e. a call to SSL_read can
lead to a send call and vice-versa, so, if I ensure I don't do
renegotiation at all (both sides use my application) then will the
code work fine?



No, it will still break. The SSL connection has one and only one state, 
and you are trying to manipulate it from two places at the same time.



(c) I would also like to know the reason behind such a design
considering the fact that TCP supports parallel send / recv. Is it
enforced by the protocol design or any other design parameters forced
such a design?


This is how every other library works. TCP is an exception.


Take, for example, a typical string library. You can perform 'read' 
operations (those that do not change state) from multiple threads to the 
same string at the same time. But you would never expect the string 
library to support two 'write' operations (those that do change state) 
to be supported to the same string at the same time. If you did, say 
'a+="A";' and 'a+="B";' at the same time in two different threads, you 
wouldn't expect a sensible result.



Another problem is that there's basically no way OpenSSL could provide 
this capability without a service thread. Consider if a blocking 
SSL_read is terminated from another thread that calls a shutdown 
function -- what thread is left to complete the SSL protocol shutdown? 
TCP handles lingering data in the kernel with the kernel's own threads, 
but OpenSSL can't do that. And unless you use a service thread per 
connection in flux, you wind up in the very platform-specific world of 
I/O multiplexing.


All of this can be done, but not sensibly inside OpenSSL.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to