The SSL will abort the handshake automatically when something was wrong such as
the authentication failure,no shared cipher list,verify callback failure and so
on.So i think you shall call the shutdown and free the object when the
handshake functions(SSL_do_handshake,SSL_accept,SSL_connect...) failed.
At 2011-02-23 00:45:22,"Aro RANAIVONDRAMBOLA" <razuk...@gmail.com> wrote:
Hello,
I would like to know at what timehave I to call shutdown ? is there a case I
have no choice ( and so I have to shutdown ).
In fact, I develop a secure stack between TCP and an application. . So in
appli_connect( ), appli_read( ), ... appli_accept( ) are defined like these :
appli_connect(appli_num, ... ){
connect(appli_num->sock , ...);
...
SSL_connect(appli_num->ssl, ...);
}
appli_accept(appli_num, ...){
accept(appli_num->sock, ...);
...
SSL_accept(...);
}
appli_read( ){
...
}
appli_write( ){
..
}
2011/2/16 lzyzizi<lzyz...@126.com>
Sorry, I made you confusing.
1)I just want to say that it depends on your needs to call SSL_CTX_free().For
example ,you develop an application that needs user to import the certificate
.If the user import the wrong certificate , you may not call SSL_CTX_free to
free the SSL_CTX object.You may tell the user that your certificate is wrong,
and let him import again.
Sometimes,you develop a server.Every time starting server, the server will load
the certificate.The failure of calling SSL_CTX_use_certificate_file means that
it load the wrong certificate,If it is a fatal error for you,you should call
SSL_CTX_free to SSL_CTX object and end your server.
I think usage of SSL_CTX/SSL function is not about the SSL usage ,but the
common sense of object-oriented programming.When to kill the object denpends
what your program needs.
At 2011-02-16 19:40:50,"Aro RANAIVONDRAMBOLA" <razuk...@gmail.com> wrote:
2) => OK
1) I do not understand when you say I can also call
SSL_CTX_use_certificate_file( ) to load another certificate file ...
if it fails how can you load another certificate file ?
2011/2/15 lzyzizi<lzyz...@126.com>
What time have you to call SSL_free() and SSL_CTX_free() depends what you want
to end the SSL/SSL_CTX object's lifecycle.Calling these functions is just
likedel the object in C++,which means you don't want the object any more.
The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ),
SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean that
the SSL/SSL_CTX object won't work any more.For example, if the
SSL_CTX_use_certificate_file() fails, it just means that the certificate file
may be not OK.You can also call it to load another certificate file.
2)You may not call SSL_CTX_free(),when SSL objects fails.Because the SSL_CTX
object is used to create SSL object as a factory.SSL_CTX may create many SSL
objects.An SSL object just means that this SSL handshake(or other operations)
has errors,which does not imply that SSL_CTX object has error.Especially,
the failure of these functions(SSL_connect( ), SSL_accept( ),
SSL_get_verify_result()) is common in SSL handshake, because your peer sent
wrong certificate to you or something that violated the SSL protocol.It is not
your fault,so you just need to free the SSL object or do some reconnection
operation.
At 2011-02-15 22:40:29,"Aro RANAIVONDRAMBOLA" <razuk...@gmail.com> wrote:
Hello,
I 'd like to know at what time have I to call SSL_free( ) and SSL_CTX_free( )
1) For example, I call SSL_CTX_free( ) when a call to a function which fill in
the CTX fails ( SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ),
..., SSL_CTX_set_verify( ) ). I am wondering if it is a good idea.
2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL object
fails. it concerns SSL_connect( ), SSL_accept( ), SSL_get_verify_result(), ...
is that OK ?
thanks
