On 6/25/2014 3:23 PM, Jens Maus wrote:
On 2014-06-25 at 15:06, Michel <msa...@paybox.com> wrote:

Excerpt from the book : "Network Security with OpenSSL" :

"An SSL_CTX object will be a factory for producing SSL connection objects.
This context allows us to set connection configuration parameters before the 
connection is made, such as protocol version, certificate information, and 
verification requirements.
It is easiest to think of SSL_CTX objects as the containers for default values 
for the SSL connections to be made by a program.
…

Thanks for the reminder. But I read the OpenSSL manual pages already, of course 
- but as the documentation of OpenSSL is (to be honest) really bad, I wanted to 
make this absolutely clear.

In general, an application will create just one SSL_CTX object for all of the 
connections it makes."

And Yes, this is also true for multithreaded connections, as long as we are 
aware of :
https://www.openssl.org/docs/crypto/threads.html

Ok, but then please allow the question how I should deal with

SSL_CTX_set_cert_verify_callback(sslCtx, func, conn);

in that context? Because currently we use this function to define an own verify 
callback function and we supply ‘conn’ here as an application specific pointer 
argument (and extracting it via X509_STORE_CTX_get_app_data(x509_ctx) within 
the callback function) for filling in the individual results of the certificate 
verify process of a specific SSL connection. The problem that arises here is 
that this ‘conn’ pointer is connection specific in our case. That means I want 
to be able to use a connection specific ‘conn’ argument with 
SSL_CTX_set_cert_verify_callback(), but if I call this function once at the 
very beginning of my application I can only specify it once and calling 
SSL_CTX_set_cert_verify_callback() on the same sslCtx pointer for every 
parallel connection will of course overwrite the old setting.

So how can I specify an own app_data for every connection? IMHO there should be 
something like SSL_set_cert_app_data() so that I can specify different app_data 
for different SSL connections.


After calling ssl_ctx = SSL_new(master_ssl_ctx) to get the new context,
call

  X509_STORE store_obj = SSL_CTX_get_cert_store(ssl_ctx),

then set your pointer in the CRYPTO_EX_DATA of
store_obj->ex_data.

When your callback receives an X509_STORE_CTX store_ctx, you can access
that same X509_STORE as store_ctx->ctx and get your pointer from the
CRYPTO_EX_DATA at store_ctx->ctx->ex_data.

At least that is what it looks like to me.

(Figuring out how to use the generic CRYPTO_EX_DATA API is left as an
exercise for the reader).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to