RE: Root Certificates dir

Fri, 23 Mar 2007 12:55:41 -0800 

Hello,
> 1) Can I able to do both  EPHEMERAL RSA and DH EPHEMERAL same time ??
No, in this situation both algorithms are use for the same purpose
(key exchange) so one may be used.
> Will Openssl  call either EPHEMERAL RSA or  DH EPHEMERAL depend what
> ciphers using ??
Depending on cipher suites. SSL/TLS cipher suites are defined in RFC
and has two byte identifiers for SSL3/TLS1 (or three byte identifiers
for SSL2).

> 2) what do you mean some compatibility problem  ?? If SSSLv2 or SSLv3
> try to connect my Server (TLS_RSA_WITH_3DES_EDE_CBC_SHA1) will my server
> crash ??
Server should not crash in any situation :-)
I mean that you may find some SSL/TLS implementation (there are few,
for example gnutls, yassl, matrixssl, nss and may with close source)
that connection may not work properly.  

> 3) I have core dump on SSL_CTX_free(ctx) ( I already check 
>                                             { if (ctx)
>                                               SSL_CTX_free(ctx);
>                                             }
> 
> I have a SSL Server/Client application. Client can be independent or
> come from Server.
> If Client by itself,  SSL_CTX_free(ctx) will call when I am done with
> Client.
> 
> For Server, I create one CTX. For Each Client's SSL connection, I
> spin-off a thread and create SSL which share this CTX. Does openssl have
> a counter to let me know there are still some SSL connection which
> belong to this CTX before I call SSL_CTX_free(ctx). Something like this:
> 
>       if ( CTX_counter == 0)
>        { if (ctx)
>          SSL_CTX_free(ctx);
>        }
> Sorry to ask you many question. I just want to understand.
I think that you should not bother with some counters inside SSL_CTX
object. If your program at startup creates SSL_CTX and next gets
from this context SSL objects for client connections and at
the connection end you free this SSL object there should be
no memory leak or other bad things. SSL_new() will increment reference
counter in SSL_CTX objects and SSL_free() will decrement so this
will be properly balanced. You do not need to call SSL_CTX_free()
at this time (at the end of thread for example). If number
of called SSL_new() will be equal to number of SSL_free() calls
then last SSL_CTX_free() should really free this context.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to