Prabbu/Marek/Chong
Thank for your help. I am very newbie for openssl too.
Suppose I have a "Singleton" class below. This method is shared by
multithreads. This class returns a one and only one ctx ( One Context
which shares by multithreads). For me, the only Mutex Lock I need is
around line 8 because of verify_callback method. The remain methods are
read only
Lock Mutex
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,SslServerSocket::verify_callback);
UnLock Mutex
Beter than that I may move the Mutex inside "verify_callback"
What do you think ?? Is it correctly ??
Thank You
SslServerSocket::SslServerSocket (const char *CAFILE1,
const char *CERTFILE1)
{
1) if (!reentrance.THREAD_setup() || !SSL_library_init())
{
fprintf(stderr, "** OpenSSL initialization failed!\n");
exit(-1);
}
2) SSL_load_error_strings();
3) ctx = SSL_CTX_new(SSLv23_method());
// load trusted root certificates,e.g root.pem into our application
// CAFFILE root.pem
4) if (SSL_CTX_load_verify_locations(ctx, CAFILE1, CADIR) != 1)
cout << "Error loading CA file and/or directory" << endl;
5) if (SSL_CTX_set_default_verify_paths(ctx) != 1)
cout << "Error loading default CA file and/or directory" <<
endl;
// load the chain of certificates into SSL_CTX
// CERTFILE is client.pem - client certificate for client
// CERTFILE is server.pem - server certificate for client
6) if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE1) != 1)
cout << "Error loading certificate from file" << endl;
// load the private key of application into SSL_CTX
// CERTFILE is client.pem - client certificate for client
// CERTFILE is server.pem - server certificate for client
//
7) if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE1, SSL_FILETYPE_PEM)
!= 1)
cout << "Error loading private key from file" << endl;
// Openssl verify peer's certificate chain automatically
// certificate verification will filter default verification
8) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
,SslServerSocket::verify_callback);
9) SSL_CTX_set_verify_depth(ctx, 4);
}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Thursday, November 02, 2006 13:10
To: openssl-users@openssl.org
Subject: RE: Error accepting connections
Hello,
> Prabbu/Marek/Chong
> I have a SSL server application. It creates threads for each client
> connection.
> My server call accept(). After the sock = accept() return, I put SSL
> on sock, spin-off a thread for that client. All socks share the same
'ctx'
> in the server. How do I lock SSL object 'ctx' properly in this case ??
> Should I generate different 'ctx' for each client, instead of share ??
> Please Help.
Usually SSL_CTX structure is shared between connections, but SSL object
created from SSL_CTX is allocated per connection.
In general all dynamic changes are made in SSL object, on creation some
data are copied from SSL_CTX, some points back but in general are used
most "read-only". But there are some use counters in SSL_CTX which are
incremented on SSL object creation and must be (should be) secured by
locking mechanism. For this purpose setting static locking callbacks
should be enough, but dynamic locking callbacks may be set too.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
