On 6/25/2014 3:23 PM, Jens Maus wrote:
On 2014-06-25 at 15:06, Michel <msa...@paybox.com> wrote:
Excerpt from the book : "Network Security with OpenSSL" :
"An SSL_CTX object will be a factory for producing SSL connection objects.
This context allows us to set connection configuration parameters before the
connection is made, such as protocol version, certificate information, and
verification requirements.
It is easiest to think of SSL_CTX objects as the containers for default values
for the SSL connections to be made by a program.
…
Thanks for the reminder. But I read the OpenSSL manual pages already, of course
- but as the documentation of OpenSSL is (to be honest) really bad, I wanted to
make this absolutely clear.
In general, an application will create just one SSL_CTX object for all of the
connections it makes."
And Yes, this is also true for multithreaded connections, as long as we are
aware of :
https://www.openssl.org/docs/crypto/threads.html
Ok, but then please allow the question how I should deal with
SSL_CTX_set_cert_verify_callback(sslCtx, func, conn);
in that context? Because currently we use this function to define an own verify
callback function and we supply ‘conn’ here as an application specific pointer
argument (and extracting it via X509_STORE_CTX_get_app_data(x509_ctx) within
the callback function) for filling in the individual results of the certificate
verify process of a specific SSL connection. The problem that arises here is
that this ‘conn’ pointer is connection specific in our case. That means I want
to be able to use a connection specific ‘conn’ argument with
SSL_CTX_set_cert_verify_callback(), but if I call this function once at the
very beginning of my application I can only specify it once and calling
SSL_CTX_set_cert_verify_callback() on the same sslCtx pointer for every
parallel connection will of course overwrite the old setting.
So how can I specify an own app_data for every connection? IMHO there should be
something like SSL_set_cert_app_data() so that I can specify different app_data
for different SSL connections.
After calling ssl_ctx = SSL_new(master_ssl_ctx) to get the new context,
call
X509_STORE store_obj = SSL_CTX_get_cert_store(ssl_ctx),
then set your pointer in the CRYPTO_EX_DATA of
store_obj->ex_data.
When your callback receives an X509_STORE_CTX store_ctx, you can access
that same X509_STORE as store_ctx->ctx and get your pointer from the
CRYPTO_EX_DATA at store_ctx->ctx->ex_data.
At least that is what it looks like to me.
(Figuring out how to use the generic CRYPTO_EX_DATA API is left as an
exercise for the reader).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
