[openssl-dev] OpenSSL 1.1 SSL_CTX issues
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Jan 21 17:57:43 UTC 2016
On Thu, Jan 21, 2016 at 05:33:51PM +0000, Howard Chu wrote:
> In OpenLDAP we've been using
> CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)
> to manage our own SSL_CTXs but this is not possible with current 1.1. Making
> the structures opaque is a good move, but please provide methods to
> manipulate refcounts.
>
> Currently ssl_lib.c appears to bump the ctx refcount twice, in SSL_new. Why
> is that?
Because the SSL handle has two references to the SSL_CTX.
ssl->ctx
ssl->initial_ctx
they are initially the same, but may diverge. These are freed
independently.
Indeed there are at present no SSL_up_ref() or SSL_CTX_up_ref()
functions. The up_ref functions are at present:
include/openssl/rsa.h:int RSA_up_ref(RSA *r);
include/openssl/ec.h:int EC_KEY_up_ref(EC_KEY *key);
include/openssl/dh.h:int DH_up_ref(DH *dh);
include/openssl/dsa.h:int DSA_up_ref(DSA *r);
include/openssl/evp.h:void EVP_PKEY_up_ref(EVP_PKEY *pkey);
include/openssl/x509.h:void X509_up_ref(X509 *x);
include/openssl/x509.h:void X509_CRL_up_ref(X509_CRL *crl);
include/openssl/x509.h:STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
include/openssl/x509_vfy.h:void X509_OBJECT_up_ref_count(X509_OBJECT *a);
include/openssl/dso.h:int DSO_up_ref(DSO *dso);
include/openssl/engine.h:int ENGINE_up_ref(ENGINE *e);
--
Viktor.
More information about the openssl-dev
mailing list