> From: owner-openssl-us...@openssl.org On Behalf Of TJ > Sent: Sunday, 02 December, 2012 22:26
> Can someone please explain these concepts to me? I can't find much > that explains it in plain English in the docs... > > I have been tasked with altering application code that uses an > embedded webserver so that it uses OpenSSL for TLS/SSL functions. > Being an embedded system with limited resources, I want to be able to > limit the number of connections possible. > If memory is a limited resource, be aware the OpenSSL code and initial data is pretty big before you do any connections. > I understand that there is only ever one SSL_CTX structure that holds > high level information (certificates/keys, defaults etc), but I don't > understand the SSL and BIO structures, other than the SSL inherits > stuff from it's "parent" SSL_CTX. From what I can tell in the docs, > SSL's and BIO's are very related. Should I implement an array of each There *can* be a single SSL_CTX; that is, multiple SSL objects can share one CTX. CTX stores normally-unchanging config (keys&certs, CAs, cipherlist, etc) and shared state (e.g. a cache of reusable sessions, by default, but you can disable that). Each SSL object handles and contains the state for one (active) connection -- handshake temps, nonces and derived keys, partial record buffers, sequence counters, HMAC state, CBC IV(pre-1.2), etc. plus BIO(s) for the TCP connection. One can have multiple CTX if one wants, especially likely if one does substantially different functions in one process. You probably don't want that, but it is possible. BIOs can be used for several purposes and in several ways in OpenSSL, but the one you are concerned with here is the one handling the TCP connection underlying a TLS/SSL connection. (Actually at least one; you can separate send and receive, and do additional things with both or either like logging and loopback, but you probably don't want to.) You can use BIO routines to create the (connected) socket in a BIO, or you can create the socket yourself (with connect on the client side or accept on the server side) and then put it in a BIO. BIOs also support several other kinds of I/O, and quasi-I/O such as filtering and loopback within a process. The API has a lot of features to cover this range of uses, some of which are not relevant to the case of a BIO for a TCP socket as here; just ignore them. > structure, say; > > SSL *sSSL[20]; > BIO *sBIO[20]; > > so that I have a structure of each type per connection (limited to 20 > connections)? Those are arrays of pointers, not of structs. The structs themselves are normally allocated with standard C library malloc/free etc., but if that's not good for your platform and/or app, you can substitute custom routines with equivalent functionality. But note OpenSSL doesn't allocate just a CTX or SSL struct -- each visible struct points to lots of other internal objects that are also malloc'ed, and a custom memory manager must support all of them. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
