Sorry, I made you confusing. 1)I just want to say that it depends on your needs to call SSL_CTX_free().For example ,you develop an application that needs user to import the certificate .If the user import the wrong certificate , you may not call SSL_CTX_free to free the SSL_CTX object.You may tell the user that your certificate is wrong, and let him import again. Sometimes,you develop a server.Every time starting server, the server will load the certificate.The failure of calling SSL_CTX_use_certificate_file means that it load the wrong certificate,If it is a fatal error for you,you should call SSL_CTX_free to SSL_CTX object and end your server.
I think usage of SSL_CTX/SSL function is not about the SSL usage ,but the common sense of object-oriented programming.When to kill the object denpends what your program needs. At 2011-02-16 19:40:50,"Aro RANAIVONDRAMBOLA" <razuk...@gmail.com> wrote: 2) => OK 1) I do not understand when you say I can also call SSL_CTX_use_certificate_file( ) to load another certificate file ... if it fails how can you load another certificate file ? 2011/2/15 lzyzizi<lzyz...@126.com> What time have you to call SSL_free() and SSL_CTX_free() depends what you want to end the SSL/SSL_CTX object's lifecycle.Calling these functions is just likedel the object in C++,which means you don't want the object any more. The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean that the SSL/SSL_CTX object won't work any more.For example, if the SSL_CTX_use_certificate_file() fails, it just means that the certificate file may be not OK.You can also call it to load another certificate file. 2)You may not call SSL_CTX_free(),when SSL objects fails.Because the SSL_CTX object is used to create SSL object as a factory.SSL_CTX may create many SSL objects.An SSL object just means that this SSL handshake(or other operations) has errors,which does not imply that SSL_CTX object has error.Especially, the failure of these functions(SSL_connect( ), SSL_accept( ), SSL_get_verify_result()) is common in SSL handshake, because your peer sent wrong certificate to you or something that violated the SSL protocol.It is not your fault,so you just need to free the SSL object or do some reconnection operation. At 2011-02-15 22:40:29,"Aro RANAIVONDRAMBOLA" <razuk...@gmail.com> wrote: Hello, I 'd like to know at what time have I to call SSL_free( ) and SSL_CTX_free( ) 1) For example, I call SSL_CTX_free( ) when a call to a function which fill in the CTX fails ( SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( ) ). I am wondering if it is a good idea. 2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL object fails. it concerns SSL_connect( ), SSL_accept( ), SSL_get_verify_result(), ... is that OK ? thanks
