Darryl Miles wrote:
Nick Kew wrote:
Unless OpenSSL nomenclature is rather confusing here, an SSL_CTX
sounds like the kind of thing you would instantiate per-connection
or per-request. Does your module act on a request or a connection?
Maybe a bit of background reading and examination of reference
implementations would be a better help for you right now.
[...]
I hope that comment wasn't for me?!
There might be a misunderstanding about my original posting (or we are
drifting off):
Inside the OpenSSL library is more than SSL. :-)
I want to use OpenSSL's crypto library (for encryption). Something like:
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init (& ctx);
EVP_EncryptInit (& ctx, EVP_bf_cbc (), key, iv);
EVP_EncryptUpdate (& ctx, outbuf, & olen, inbuff, n);
EVP_EncryptFinal (& ctx, outbuf + olen, & tlen);
Because 'EVP_CIPHER_CTX_init' is 'slow', I want to call it once! (Yes! I
can call it for every request and then (I think) I am on the safe side,
but I do not want this because there are MANY requests!)
So my code has to be thread safe, as Apache might be compiled with
thread support! To make it thread safe
http://www.openssl.org/docs/crypto/threads.html told me:
"OpenSSL can safely be used in multi-threaded applications provided that
at least two callback functions are set."
This means the two functions 'CRYPTO_set_locking_callback' and
'CRYPTO_set_id_callback'!
These two functions are being called from mod_ssl by the
ssl_init_Module-function (via ssl_util_thread_setup, which creates some
thread mutexes and calls the both functions) without testing whether
they have already being called or not.
My question is: How does this interfere with my module? How can I ensure
that only one of us (mod_ssl or my module) is calling these both
functions? I cannot believe that there is no problem when my module
creates some thread mutexes and mod_ssl does it too...
Regards,
Frank
P.S.: I still think there is need for a test routine like
'ssl_is_thread_safe_maker_on()'.
P.P.S.: To Nick Kew: I don't agree with RĂ¼digers comment. I think
OpenSSL is needed in the 1st edition. :-)
