httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Creating a thread safe module and the problem of calling of 'CRYPTO_set_locking_callback' twice!
Date Wed, 06 Dec 2006 23:16:25 GMT
Darryl Miles wrote:
> Frank wrote:
>> William A. Rowe, Jr. wrote:
>>> Nick Kew wrote:
>>> [...]
>>> An SSL_CTX can't be cross-threaded.  If the scope of use of that CTX is
>>> restricted to one thread at a time, then yes, OpenSSL has been
>>> threadsafe
>>> for a very very long time.
>>
>> You mean if I were able to create one SSL_CTX for every thread then I
>> do not have to use the both thread-safe-maker callbacks?

YOU don't have to set it because they are one time things, and mod_ssl
establishes them for you running in a threaded MPM such as worker, or winnt.
You may dig your fingers into the SSL_CTX apache uses, or create your own.

If you f with the callbacks, you will blow up apache.  Let mod_ssl+the MPM
handle that please.

> I dont think this is true.  But correct my understanding too if I am
> wrong.  Cross-threaded might confuse someone into thinking there maybe
> some "apartment threading rules" to obey, there isn't.
> 
> "An SSL *" can't have a method invoked on the same instance at the same
> time.  So long as you serialize your method calls (SSL_xxxx() family) to
> that same instance; any thread can call that method.  It is unusual to
> need to do so.
> 
> But "SSL_CTX *" is the template context specifically designed to be
> shared and used across multiple-threads if needs be, providing you make
> correct use of the 'CRYPTO_set_locking_callback' and
> 'CRYPTO_set_id_callback' and friends as part of your application
> initialization.  This allows for (amongst other things) the obviously
> parallel usage of SSL_new(SSL_CTX *) when creating new connections.

Good summary.  I believe I misspoke, the individual SSL_XXX objects aren't
thread safe (instead they are fast) but the overall SSL_CTX object is.

> Maybe the openssl-users list would be a better place for assistance.

Agreed

Mime
View raw message