Yes, I looked at rewriting bss_file.c and came to the same conclusion that you did -- a good last-chance sort of solution (though bss_socket.c seems to have done much of this work???). In the end, I went ahead and preloaded the certificate and key. This key/cert combo may be used by thousands of connections. Whenever a new socket connection needs the key or cert, I bump the refcount and hand it back. Can you tell me if I'm using any internal calls that I ought to be leaving alone?
_cert is an X509*, _key is an EVP_PKEY*, and fp is a FILE* To load the key: PEM_read_PrivateKey(fp, NULL, NULL, NULL); To load the cert: PEM_read_X509(fp, NULL, NULL, NULL); To bump the key refcount: CRYPTO_add(&_key->references,1,CRYPTO_LOCK_EVP_PKEY); To bump the cert refcount: CRYPTO_add(&_cert->references,1,CRYPTO_LOCK_X509); I've tested this solution and it works for multiple SSL connections, but I'd hate to have to redo this stuff w/ each passing version. --Craig Lutz Jaenicke wrote: > On Wed, Sep 11, 2002 at 12:41:18PM -0600, Craig Kaes wrote: > >>I appreciate that I am now on my own. FWIW, though, your statement >>below is untrue, at least on Solaris 8. Open is not limited in the same >>way that fopen is w/ regard to # of fds. Also, fwiw, nether is socket(2). > > > To be fair, I have never seen this before. I just had a look into the > stdio.h of my HP-UX boxes (HP-UX 10.20, released around 1996): > typedef struct { > int __cnt; > unsigned char *__ptr; > unsigned char *__base; > unsigned short __flag; > unsigned char __fileL; /* low byte of file desc */ > unsigned char __fileH; /* high byte of file desc */ > } FILE; > which give me the impression that there is no such limit on HP-UX. > (I have "ulimit -n" being 120 anyway, so I could test without rebuilding > the kernel and rebooting.) > > So what are the options: > * You are the first person to report this problem. It seems to be platform > specific. So we could simply leave it as is and leave you to your problem. > Most if not all functions of OpenSSL also work fine without fopen(). > File operations are typically used to handle keys and certificates but > the file operations are just for your convenience. You can always load > the data to memory yourself, convert via d2i/i2d_* and use it. > * You may consider looking around in Solaris specific newsgroups and > mailing lists. Maybe you find a solution (maybe not). > * Finally it might be possible to rewrite bss_file.c to perform the > buffering itself and use unbuffered io to circumvent this problem. > This however is not easily done when considering that it has to > handle things like "binary mode", "text mode", ... in a platform > independent manner (this especially including M$ platforms). > > Best regards, > Lutz ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]