On Thu, Sep 12, 2002 at 09:03:17AM -0600, Craig Kaes wrote:
> Yes, I looked at rewriting bss_file.c and came to the same conclusion
> that you did -- a good last-chance sort of solution (though bss_socket.c
> seems to have done much of this work???). In the end, I went ahead and
> preloaded the certificate and key. This key/cert combo may be used by
> thousands of connections. Whenever a new socket connection needs the
> key or cert, I bump the refcount and hand it back. Can you tell me if
> I'm using any internal calls that I ought to be leaving alone?
>
> _cert is an X509*, _key is an EVP_PKEY*, and fp is a FILE*
>
> To load the key:
>
> PEM_read_PrivateKey(fp, NULL, NULL, NULL);
>
> To load the cert:
>
> PEM_read_X509(fp, NULL, NULL, NULL);
>
> To bump the key refcount:
>
> CRYPTO_add(&_key->references,1,CRYPTO_LOCK_EVP_PKEY);
>
> To bump the cert refcount:
>
> CRYPTO_add(&_cert->references,1,CRYPTO_LOCK_X509);
>
> I've tested this solution and it works for multiple SSL connections, but
> I'd hate to have to redo this stuff w/ each passing version.
I don't see the requirement to touch the reference counts.
Simply load the key and certificates into EVP_PKEY and X509 objects.
Later you just use SSL_use_certificate() and SSL_use_PrivateKey().
They will increment and decrement the reference counts as needed
(see ssl/ssl_rsa.c:ssl_set_cert(), just at the end of the function :-).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
