RE: a question about "SSL_CTX_free"

Tue, 09 Jan 2007 13:21:34 -0800 

> Guys:
> I have a listening socket, waiting for connections from clients. When a
> client connects to my server, I put SSL on socket and spin up a thread
> to handle it. One client is one thread. All of these connections are
> shared by same SSL_CTX ctx. This is the way I handle at the end of this
> connection:
>
> 1. If (SSL_shutdown(ssl))
> 2. {
> 3.  SSL_free(ssl);
> 4.  SSL_free_ctx();
> 5   close(socket);
> 6. }
> 7. Else
> 8. {
> 9.   Throw exception(...);
> 10. }
>
> Is the right way to do??? Do I need both lines 3 and 4? Please help.

There is no way to tell from just the snippet you posted. That piece of code
might have a reference to the context or it might not. If it does, then
freeing the context is correct if and only if the code will no longer use
the context. If it does not, then it's an error.

For example, if the code is:

1) Acquire a reference to the context.
2) Do some stuff
3) That snippet
4) Do some more stuff with the context.

Then you should not free the context, because you are still using it. If the
code is:

1) Acquire a reference to a context (say, by creating it).
2) Create an SSL session using that context.
3) Release the context because we don't use it anymore (though the session
does)
4) That snippet
5) Do nothing else with the context

Then it's still wrong, because that snippet has no reference to the context.

However, if it's:

1) Grab the SSL session, but don't do anything with its context
2) That snippet
3) Do nothing further with the context

Then it's an error to release the context, because you never had a reference
to it.

If it's:

1) Create the context.
2) Create an SSL session using that context. (Now, both this code and that
session have a reference.)
3) That snippet.
4) Nothing else with the context.

Then it's correct, because the session releases its own reference, but the
code has to release its reference.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to