On Thu, Sep 12, 2002 at 09:03:17AM -0600, Craig Kaes wrote: > Yes, I looked at rewriting bss_file.c and came to the same conclusion > that you did -- a good last-chance sort of solution (though bss_socket.c > seems to have done much of this work???). In the end, I went ahead and > preloaded the certificate and key. This key/cert combo may be used by > thousands of connections. Whenever a new socket connection needs the > key or cert, I bump the refcount and hand it back. Can you tell me if > I'm using any internal calls that I ought to be leaving alone? > > _cert is an X509*, _key is an EVP_PKEY*, and fp is a FILE* > > To load the key: > > PEM_read_PrivateKey(fp, NULL, NULL, NULL); > > To load the cert: > > PEM_read_X509(fp, NULL, NULL, NULL); > > To bump the key refcount: > > CRYPTO_add(&_key->references,1,CRYPTO_LOCK_EVP_PKEY); > > To bump the cert refcount: > > CRYPTO_add(&_cert->references,1,CRYPTO_LOCK_X509); > > I've tested this solution and it works for multiple SSL connections, but > I'd hate to have to redo this stuff w/ each passing version.
I don't see the requirement to touch the reference counts. Simply load the key and certificates into EVP_PKEY and X509 objects. Later you just use SSL_use_certificate() and SSL_use_PrivateKey(). They will increment and decrement the reference counts as needed (see ssl/ssl_rsa.c:ssl_set_cert(), just at the end of the function :-). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]