> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni <openssl-us...@dukhovni.org>
> wrote:
>
> That depends on whether setting the cert_store element was done properly (in
> a way
> that incremented the reference count) or not. See the documentation of:
>
> SSL_CTX_set1_cert_store(3)
> SSL_CTX_set_cert_store(3)
>
> the latter does not facilitate sharing the store across multiple SSL_CTX
> instances.
Note that SSL_CTX_set1_cert_store(3) is new with OpenSSL 1.1.x. In OpenSSL
1.0.2, the caller would have to increment the reference count prior to
calling SSL_CTX_cert_store(). The caller typically owns a primary copy of
the store to use when configuring various SSL_CTX objects. In that case
the primary copy can be freed once the application no longer intends to
use the store to configuring any more SSL_CTX objects.
In OpenSSL 1.1.x there is an X509_STORE_up_ref() function. In OpenSSL 1.0.2,
you can do that directly via:
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
Bottom line, you need to figure out the life-cycle of the object, and ensure
that reference counts are properly maintained.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
