> Objects are copied and ref-counted when an SSL is created from an SSL_CTX...
To me this seems is only half-true. In SSL_new() we see that only the own certificate/key gets duplicated with ssl_cert_dup(ctx->cert), as for the trusted stuff in X509_STORE only the pointer is copied.
Inside ssl_verify_cert_chain() when a temporary X509_STORE_CTX is created it will share the X509_STORE instance with all other connections.Therefore we must assume that replacing the X509_STORE instance from an other thread during running connections is definitely unsafe.
Alternatively, do you think the reference counter system is able to correctly handle additions/removals to/from the existing X509_STORE obj list instead of replacing it?FabrizioGesendet: Mittwoch, 12. August 2015 um 15:38 Uhr
Von: "Salz, Rich" <rs...@akamai.com>
An: "openssl-users@openssl.org" <openssl-users@openssl.org>
Betreff: Re: [openssl-users] X509_STORE manipulations and thread-safety> Is it safe to have a thread reload trusted certificates and crls into a SSL_CTX's X509_STORE while connections are running in other threads, especially when considering renegotiations?
As a general rule, multi-thread simultaneous access doesn't work and will often make things go ka-boom. But generally ongoing connections use SSL objects, not SSL_CTX, so a brief locking scheme should be okay. Objects are copied and ref-counted when an SSL is created from an SSL_CTX...
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
