>From: Eric Rescorla <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Newbie dev questions
>Date: 04 Dec 2001 12:24:16 -0800
>
>"Tim Pushor" <[EMAIL PROTECTED]> writes:
> > I am following the 'Introduction to OpenSSL programming' found at
>rtfm.com.
> > I am having no trouble understanding the concepts within, but have a few
> > questions:
> >
> > 1) My application is multithreaded (using pthreads) and each thread will
> > make a new SSL connection. Can I create the global SSL context in the
>main
> > thread, and then use it in each worker thread to generate the individual
> > connections? Is there any synchronization necessary?
>As far as I know, the rule is that you cannot use a single SSL object
>in more than one thread but that you can share an SSL_CTX as long
>as you've compiled OpenSSL in threaded mode. However, I'd like to
>see someone who's actually done OpenSSL thread programming weigh in :)
Just dont forget the three thread locking functions described in the
"threads" man page...
>
> > 2) I need to use nonblocking IO for reads and writes (to handle timeouts
> > mainly). The introduction does not cover that :( is there anywhere I can
>see
> > a (hopfully simple) implementation of nonblocking IO?
>Actually, part II does cover that. I haven't had time to typeset it in
>PDF but it's available on the Linux Journal web site at:
>http://www.linuxjournal.com/article.php?sid=5487
>
> > or is there a
> > mechinism inside OpenSSL to handle read/write timeouts?
>No. You have to do it yourself.
>
>
> > 3) I don't care about client authentication, or about server CA
> > verification. Can I just set the verify depth to 0 in the global SSL
> > context?
>This is a bad bad idea because it leaves you open to active attack.
>
>However, it's not done by setting the verify depth to zero.
>Just leave the SSL ctx as it is and don't check whether verification
>succeeded or not. If you look at my code in wclient you can see
>how this works:
>
> if(require_server_auth)
> check_cert(ssl,host);
>
>-Ekr
>
>--
>[Eric Rescorla [EMAIL PROTECTED]]
>Author of "SSL and TLS: Designing and Building Secure Systems"
> http://www.rtfm.com/
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
