I'm implementing a multithreaded server using OpenSSL. Yes, you can create one context to be used among all threads. As far as synchronization, there is a "threads" manual page somewhere under www.openssl.org (which appears to be down at the moment, or I'd be more precise) that describes the issues. The FAQ gives a link to it.
You do need to learn about the following: CRYPTO_num_locks() CRYPTO_set_locking_callback() CRYPTO_set_id_callback() Having said that, the "threads" man page says that the above must be used for any application that uses OpenSSL in multiple threads. But my cursory examination of the source code implies that they are only utilized when you explicitly use the session management routines, which I am not. Preferring to be over-safe than under-safe, I am using them. Glover Barker Eric Rescorla <[EMAIL PROTECTED]> To: Sent by: [EMAIL PROTECTED] owner-openssl-users@o cc: penssl.org Subject: Re: Newbie dev questions 12/04/2001 03:24 PM Please respond to openssl-users "Tim Pushor" <[EMAIL PROTECTED]> writes: > I am following the 'Introduction to OpenSSL programming' found at rtfm.com. > I am having no trouble understanding the concepts within, but have a few > questions: > > 1) My application is multithreaded (using pthreads) and each thread will > make a new SSL connection. Can I create the global SSL context in the main > thread, and then use it in each worker thread to generate the individual > connections? Is there any synchronization necessary? As far as I know, the rule is that you cannot use a single SSL object in more than one thread but that you can share an SSL_CTX as long as you've compiled OpenSSL in threaded mode. However, I'd like to see someone who's actually done OpenSSL thread programming weigh in :) > 2) I need to use nonblocking IO for reads and writes (to handle timeouts > mainly). The introduction does not cover that :( is there anywhere I can see > a (hopfully simple) implementation of nonblocking IO? Actually, part II does cover that. I haven't had time to typeset it in PDF but it's available on the Linux Journal web site at: http://www.linuxjournal.com/article.php?sid=5487 > or is there a > mechinism inside OpenSSL to handle read/write timeouts? No. You have to do it yourself. > 3) I don't care about client authentication, or about server CA > verification. Can I just set the verify depth to 0 in the global SSL > context? This is a bad bad idea because it leaves you open to active attack. However, it's not done by setting the verify depth to zero. Just leave the SSL ctx as it is and don't check whether verification succeeded or not. If you look at my code in wclient you can see how this works: if(require_server_auth) check_cert(ssl,host); -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] Author of "SSL and TLS: Designing and Building Secure Systems" http://www.rtfm.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]