On Sat, May 24, 2014 at 10:32:35AM +0200, Kaspar Brand wrote: > On 19.05.2014 10:15, Plüm, Rüdiger, Vodafone Group wrote: > > Maybe stupid idea, but can't we do that once and hand it out over > > and over again? > > Not a stupid idea at all - I think it's actually the most sensible > solution to this problem. This is what OpenSSL does with the > DH parameters provided by the callback in > s3_srvr.c:ssl3_send_server_key_exchange():
This may be a stupid question: if we are doing this once per process lifetime would it not be better to do it at init time, and store the results somewhere other than a static variable? We have a potential race here between threads doing the param generation, right? + static DH *dh = NULL; \ + DH *dh_tmp; \ ... + dh = dh_tmp; \ though it would not matter who wins the race *if* we could rely on pointer assignment being atomic - which is a fairly dubious assumption, and at least deserves a comment. If a potential race is possible here it might be better to do it once at startup to save CPU time anyway? Regards, Joe