<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello, <br>
</p>
<p>I'd like a clarify a little bit about multithreaded use of
X509_verify_cert.</p>
<div class="post-text" itemprop="text">
<p>Use case: I want connections to be accepted and served in a
network thread and delegate all certificate checking to another
thread (or even thread pool). CA for all certificates to be
checked is stored in a single <code>X509_STORE</code>.
Basically, when certificate is received from a client, I create
new <code>X509_STORE_CTX</code>, initialize it with a single
(say, global) <code>X509_STORE</code>, and feed a worker thread
with a checking routine which calls <code>X509_verify_cert</code>.
</p>
<p>The question is, does this kind of thread-sharing of <code>X509_STORE</code>
need any external locking provided by an application?</p>
<p>Particularly, I'm worried because <code>X509_STORE_CTX_init</code>
takes a non-const pointer of my <code>X509_STORE</code>.
Probably, this is because this function modifies reference
counters inside the store, which is thread-safe provided that
locking callbacks are set during initialization of the library.
There should be no other non-const access to the store, right?</p>
</div>
</body>
</html>