Yes, I looked at rewriting bss_file.c and came to the same conclusion
that you did -- a good last-chance sort of solution (though bss_socket.c
seems to have done much of this work???). In the end, I went ahead and
preloaded the certificate and key. This key/cert combo may be used by
thousands of connections. Whenever a new socket connection needs the
key or cert, I bump the refcount and hand it back. Can you tell me if
I'm using any internal calls that I ought to be leaving alone?
_cert is an X509*, _key is an EVP_PKEY*, and fp is a FILE*
To load the key:
PEM_read_PrivateKey(fp, NULL, NULL, NULL);
To load the cert:
PEM_read_X509(fp, NULL, NULL, NULL);
To bump the key refcount:
CRYPTO_add(&_key->references,1,CRYPTO_LOCK_EVP_PKEY);
To bump the cert refcount:
CRYPTO_add(&_cert->references,1,CRYPTO_LOCK_X509);
I've tested this solution and it works for multiple SSL connections, but
I'd hate to have to redo this stuff w/ each passing version.
--Craig
Lutz Jaenicke wrote:
> On Wed, Sep 11, 2002 at 12:41:18PM -0600, Craig Kaes wrote:
>
>>I appreciate that I am now on my own. FWIW, though, your statement
>>below is untrue, at least on Solaris 8. Open is not limited in the same
>>way that fopen is w/ regard to # of fds. Also, fwiw, nether is socket(2).
>
>
> To be fair, I have never seen this before. I just had a look into the
> stdio.h of my HP-UX boxes (HP-UX 10.20, released around 1996):
> typedef struct {
> int __cnt;
> unsigned char *__ptr;
> unsigned char *__base;
> unsigned short __flag;
> unsigned char __fileL; /* low byte of file desc */
> unsigned char __fileH; /* high byte of file desc */
> } FILE;
> which give me the impression that there is no such limit on HP-UX.
> (I have "ulimit -n" being 120 anyway, so I could test without rebuilding
> the kernel and rebooting.)
>
> So what are the options:
> * You are the first person to report this problem. It seems to be platform
> specific. So we could simply leave it as is and leave you to your problem.
> Most if not all functions of OpenSSL also work fine without fopen().
> File operations are typically used to handle keys and certificates but
> the file operations are just for your convenience. You can always load
> the data to memory yourself, convert via d2i/i2d_* and use it.
> * You may consider looking around in Solaris specific newsgroups and
> mailing lists. Maybe you find a solution (maybe not).
> * Finally it might be possible to rewrite bss_file.c to perform the
> buffering itself and use unbuffered io to circumvent this problem.
> This however is not easily done when considering that it has to
> handle things like "binary mode", "text mode", ... in a platform
> independent manner (this especially including M$ platforms).
>
> Best regards,
> Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
