On 2014-06-25 at 22:22, Michael Wojcik <michael.woj...@microfocus.com> wrote:
[…] >> But if two or more parallel SSL connections >> are initiated you would AFAICS require a unique index variable per running >> SSL*. > > No, that's not how it works. You need one index value per item to be stored > in a given SSL object. You have one item to store - a pointer to your > application data - in each SSL object. You'll use the same index value for > that item in each SSL object. Thank you very much Michael. That was the final comment that made me fully understand where you want to pointed me at. I really first thought I need a unique index for each SSL* object, but as you said, I only need to call SSL_get_ex_new_index() once upon application startup and just save that single index in a global variable and then use it with the SSL_set_ex_data() call I execute when initiating a new SSL negotiation. To finalize this mail thread and make sure if someone stumbles over it via google, allow me to add an URL to the sources of the mail client I have now implemented the SSL negotiation as you have suggested: http://yam.ch/browser/trunk/src/tcp/ssl.c?rev=8113#L1053 And for the ones not wanting to read foreign source code, I will summarize our findings in some pseudo code: — cut here — int globalAppDataIndex; SSL_CTX *globalSSLctx; int verify_callback(…) { SSL *ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); void *app_data = SSL_get_ex_data(ssl, globalAppDataIndex); /* do something on app_data */ […] } void makeSSLconnection() { void *app_data = malloc(); /* fill app_data with connection specific data */ […] SSL *ssl = SSL_new(globalSSLctx); SSL_set_ex_data(ssl, globalAppDataIndex, app_data); SSL_set_fd(ssl, socket); SSL_connect(ssl); /* perform SSL secured connection */ […] } void InitSSL() { […] globalSSLctx = SSL_CTX_new(…); globalAppDataIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); SSL_CTX_load_verify_locations(globalSSLctx, …); SSL_CTX_set_default_verify_paths(globalSSLctx); SSL_CTX_set_verify(globalSSLctx, SSL_VERIFY_PEER, verify_callback); […] } void main(…) { /* run InitSSL() only once */ InitSSL(); /* create multiple, parallel (multithreaded) connections */ for(int i=0; i < numConnections; i++) { /* create socket and perform tcp connection */ […] /* init the SSL negotiation */ makeSSLConnection(); } […] } — cut here — This pseudo code should allow to load a ca-bundle or all types of certificates via SSL_CTX_load_verify_locations() once at application startup via keeping a single SSL_CTX* object throughout the whole lifetime of the application. At the same time it comes with a verify_callback and shows how to forward own application specific data using SSL_set_ex_data() to the verify callback function. So thanks to anyone involved in this thread. The final solution is really now more optimized and allows to perform SSL connections way faster. best regards, jens -- Jens Maus, Dresden/Germany http://jens-maus.de/ (Please note a real name change effective since 5.9.2013. Former name: Jens Langner) *** Content is authentic only with digital signature ***
smime.p7s
Description: S/MIME cryptographic signature