On Sat, Mar 8, 2014 at 3:52 PM, Viktor Dukhovni
<openssl-us...@dukhovni.org> wrote:
> On Fri, Mar 07, 2014 at 06:16:33PM -0500, Jeffrey Walton wrote:
>
>> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
>> 1, I'd like to remove it from the cache. (1 means the cache holds the
>> only copy, so I should be able to remove it and call SSL_CTX_free).
>>
>> Is it possible to retrieve the reference count on a SSL_CTX?
>
> This design is odd. Caches often contain the only copy of something,
> and expunge the cached object based on some constraint, maximum
> time in cache, maximum number of objects cached (LRU policy), and
> so on. With such designs you just SSL_CTX_free() the context when
> dropping it from the cache, and OpenSSL will free it if the cache
> held the last reference.
>
> Why does your cache only hold the object so long as there is at
> least one current external reference.
>
The certificates used are short lived to keep revocation manageable.
For testing, that can be as low as hours and minutes. To exercise the
purge functionality during testing, I want to perform the deletes.
I should probably back up: is it OK to provide the same server SSL_CTX
to multiple clients? It looks OK to me becuae the SSL_CTX maintains a
list of SSL_SESSION* for each client. But I don't know about the
non-obvious stuff, and stuff not covered in the books. (And I have not
yet written the test cases because app-level caching is still
malleable).
By the way, does this look right from ssl.h (from 1.0.1f, around line 920):
#ifndef OPENSSL_ENGINE
/* Engine to pass requests for client certs to
*/
ENGINE *client_cert_engine;
#endif
Shouldn't that be "#ifndef OPENSSL_NO_ENGINE"...?
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
