[openssl-users] Is it safe to share single X509_STORE between multiple threads for verifying certificate?

Oleg Andriyanov o.andriyanov at gmail.com
Tue Nov 1 23:16:54 UTC 2016


I'd like a clarify a little bit about multithreaded use of X509_verify_cert.

Use case: I want connections to be accepted and served in a network 
thread and delegate all certificate checking to another thread (or even 
thread pool). CA for all certificates to be checked is stored in a 
single |X509_STORE|. Basically, when certificate is received from a 
client, I create new |X509_STORE_CTX|, initialize it with a single (say, 
global) |X509_STORE|, and feed a worker thread with a checking routine 
which calls |X509_verify_cert|.

The question is, does this kind of thread-sharing of |X509_STORE| need 
any external locking provided by an application?

Particularly, I'm worried because |X509_STORE_CTX_init| takes a 
non-const pointer of my |X509_STORE|. Probably, this is because this 
function modifies reference counters inside the store, which is 
thread-safe provided that locking callbacks are set during 
initialization of the library. There should be no other non-const access 
to the store, right?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161102/a1c92ed8/attachment.html>

More information about the openssl-users mailing list