[openssl-dev] OpenSSL 1.1 SSL_CTX issues
Matt Caswell
matt at openssl.org
Tue Jan 26 13:22:32 UTC 2016
On 21/01/16 17:57, Viktor Dukhovni wrote:
> On Thu, Jan 21, 2016 at 05:33:51PM +0000, Howard Chu wrote:
>
>> In OpenLDAP we've been using
>> CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX)
>> to manage our own SSL_CTXs but this is not possible with current 1.1. Making
>> the structures opaque is a good move, but please provide methods to
>> manipulate refcounts.
>>
>> Currently ssl_lib.c appears to bump the ctx refcount twice, in SSL_new. Why
>> is that?
>
> Because the SSL handle has two references to the SSL_CTX.
>
> ssl->ctx
> ssl->initial_ctx
>
> they are initially the same, but may diverge. These are freed
> independently.
>
> Indeed there are at present no SSL_up_ref() or SSL_CTX_up_ref()
> functions. The up_ref functions are at present:
This has now been fixed. I have added SSL_up_ref() and SSL_CTX_up_ref().
Matt
More information about the openssl-dev
mailing list