On Mon, Mar 10, 2014 at 11:19:41AM -0400, Jeffrey Walton wrote:
> > Why does your cache only hold the object so long as there is at
> > least one current external reference.
>
> The certificates used are short lived to keep revocation manageable.
> For testing, that can be as low as hours and minutes. To exercise the
> purge functionality during testing, I want to perform the deletes.
Associate a TTL with each cache entry, and purge it from the cache
when the TTL expires.
> I should probably back up: is it OK to provide the same server SSL_CTX
> to multiple clients?
Yes, you can use a single SSL_CTX application context to create
multiple SSL connection contexts. This allows the server or client
certificates and trusted certificate store to be initialized just
once, rather than once per connection.
The primary use-case for multiple SSL_CTX objects is server-side
SNI support.
> By the way, does this look right from ssl.h (from 1.0.1f, around line 920):
>
> #ifndef OPENSSL_ENGINE
> /* Engine to pass requests for client certs to
> */
> ENGINE *client_cert_engine;
> #endif
>
> Shouldn't that be "#ifndef OPENSSL_NO_ENGINE"...?
Yes, I believe you've found a (typo) bug. It dates back to the 0.9.9
development branch in 2008 which eventually became 1.0.0:
commit 368888bcb6192b96638c3d6dd706103be52eac89
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Sun Jun 1 22:33:24 2008 +0000
Add client cert engine to SSL routines.
...
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 23875f0..8f96120 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -160,6 +160,9 @@
#include <openssl/dh.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
static const SSL_METHOD *ssl3_get_client_method(int ver);
static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
...
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 3c1b74a..6adf11d 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -798,6 +798,12 @@ struct ssl_ctx_st
*/
unsigned int max_send_fragment;
+#ifndef OPENSSL_ENGINE
+ /* Engine to pass requests for client certs to
+ */
+ ENGINE *client_cert_engine;
+#endif
+
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL*, int *, void *);
...
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 33d302a..12cc486 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -138,6 +138,9 @@
#include <stdio.h>
#include <openssl/lhash.h>
#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
#include "ssl_locl.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
