Thanks for the quick response, David. I hadn't seen any documentation on BIO_set_ssl_renegotiate_bytes/timeout(), but that sounds like a simpler way to go. If I set them both, do they both reset whenever a renegotiation takes place? Any recommendations on reasonable settings for SSLv3/TLSv1?
Re: the readers/writers, the writers are serialized on the semaphore, but the single reader is never serialized. I had though that configuration the mutex locking stuff (using CRYPTO_set_locking_callback() code lifted from "Network Security with OpenSSL", page 76) would allow multiple readers/writers. Is that not the case? Wayne. On Tue, 2009-05-19 at 21:09 -0700, David Schwartz wrote: > Wayne Feick wrote: > > > Our server has one background thread constantly calling SSL_read() > > to drain incoming data. There are multiple threads generating outgoing > > data but all the SSL_write() calls are serialized with a semaphore. > > All I/O is blocking. > > I'm not sure how you could make this work. If all I/O is blocking, the call > to SSL_read will block until data is available. If a thread generating > outgoing data wants to call SSL_write, how can it do so since the reader > thread will hold the sempahore? > > You do realize that you cannot concurrently call SSL_read and SSL_write on > the same SSL connection. You can concurrently call SSL_write on distinct SSL > connections. > > Also, OpenSSL will renegotiate automatically. > > BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte > count to num. When set after every num bytes of I/O (read > and write) the SSL session is automatically renegotiated. > num must be at least 512 bytes. > > BIO_set_ssl_renegotiate_timeout() sets the renegotiate > timeout to seconds. When the renegotiate timeout elapses > the session is automatically renegotiated. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
