On Wed, 16 Feb 2000, Oliver King wrote:
> Hi,
>
> I sent the message below last week, asking about multiple threads accessing
> a single SSL connection, but didn't receive any replies. I can't find
> anything relating to this on the list archives.
>
> Has anyone tried this, or is it not supported?
For an unrelated reason I'd heard that sharing of an SSL "object" across
threads was not recommended ... in my case it was the scenario of having
each thread running one or more SSL objects, but a separate thread keeping
an eye on all of them for various stats and monitoring.
However, the synchronisation in OpenSSL seems to happen at a type scope
rather than an object scope (somebody please correct me if I'm wrong). Ie.
there are locks like CRYPTO_LOCK_509 that are used when synchronising on
X509 operations - however they're global and not bound to the object being
accessed. You can certainly ensure your app is thread safe when accessing
SSL objects by;
(a) upping the reference count on the SSL object each time you have a
distinct thread that will access it (this means it will not be deallocated
until each thread has free'd it's own reference) by doing;
CRYPTO_r_lock(CRYPTO_LOCK_SSL);
your_x509_pointer->references++;
CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
(b) wrapping up all calls to your SSL object with the same locking.
Of course, this would probably be next to useless if most of your threads'
job is to perform operations on the SSL object, as they'd all be
serialising up behind each other. If they only touch the SSL object
occasionally this may be the way to go?
Otherwise, looking at SSL_write (and the various "method" functions it
calls) reveals that there doesn't appear to be any locking implicit, so
you'd have to synchronise it all yourself no matter how you decide to go.
On the bright side, each SSL object has an "ex_data" member which is a
CRYPTO_EX_DATA structure used for storing "application data" ... if you
want to put some kind of synchronisation in on your SSL "objects" then you
could perhaps utilise that to store pointers to mutexes or whatever. NB:
Each SSL_CTX object has one of these ex_data things too if that helps :-)
Good luck,
Geoff
----------------------------------------------------------------------
Geoff Thorpe Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe http://www.int.c2.net
----------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
