Hello, I'd like a clarify a little bit about multithreaded use of X509_verify_cert.
Use case: I want connections to be accepted and served in a network thread and delegate all certificate checking to another thread (or even thread pool). CA for all certificates to be checked is stored in a single |X509_STORE|. Basically, when certificate is received from a client, I create new |X509_STORE_CTX|, initialize it with a single (say, global) |X509_STORE|, and feed a worker thread with a checking routine which calls |X509_verify_cert|.
The question is, does this kind of thread-sharing of |X509_STORE| need any external locking provided by an application?
Particularly, I'm worried because |X509_STORE_CTX_init| takes a non-const pointer of my |X509_STORE|. Probably, this is because this function modifies reference counters inside the store, which is thread-safe provided that locking callbacks are set during initialization of the library. There should be no other non-const access to the store, right?
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
