> So IMO what Paul Sheer is doing - disabling all locking in OpenSSL given
> that there won't be any static and/or global variables in the OpenSSL
> code called is 100% safe thing [====>] if [<====] the threads do not share
any data
> manipulated within the OpenSSL library.
Quite a big "if" there!! :-) Well my list of mods are now as follows:
1. BIO_new() with my own BIO objects.
2. RAND_set_rand_method() with my own RAND object.
3. CRYPTO_set_ex_data_implementation() to dummy implementation.
4. Set SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_SERVER
| SSL_SESS_CACHE_NO_AUTO_CLEAR.
5. Init exactly one SSL_CTX context per thread.
6. ERR_set_implementation() my own error implemention which keeps an error
state per context(thread).
7. CRYPTO_set_mem_functions() my own thread-safe functions.
8. Build OpenSSL with no-threads no-dso no-comp (no-comp is for an
80-byte memory leak in the comp stack)
and of course -DOPENSSL_NO_LOCKING.
9. Add a couple of lines to the lh_hash code to assert() if lh_hash is used
AT ALL after
SSL_library_init() is called. Just for assurance.
The result is that:
A. OpenSSL does not ever look at errno,
B. accesses no global vars after initialization.
C. appears to be stable at 50 concurrent connections and 7 concurrent
sessions/threads all running under the same process.
Point B. is still not absolutely guaranteed - HELP!! ;-)
-paul
> As locking can be pretty expensive in terms of CPU cycles it is
> desirable to allow using OpenSSL this way so to remove all static and/or
> global variables in its code or at least isolate them and allow using
> OpenSSL code without them being touched.
Yep!
-paul
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
