[openssl-users] Is it safe to share single X509_STORE between multiple threads for verifying certificate?
Oleg Andriyanov
o.andriyanov at gmail.com
Tue Nov 1 23:16:54 UTC 2016
Hello,
I'd like a clarify a little bit about multithreaded use of X509_verify_cert.
Use case: I want connections to be accepted and served in a network
thread and delegate all certificate checking to another thread (or even
thread pool). CA for all certificates to be checked is stored in a
single |X509_STORE|. Basically, when certificate is received from a
client, I create new |X509_STORE_CTX|, initialize it with a single (say,
global) |X509_STORE|, and feed a worker thread with a checking routine
which calls |X509_verify_cert|.
The question is, does this kind of thread-sharing of |X509_STORE| need
any external locking provided by an application?
Particularly, I'm worried because |X509_STORE_CTX_init| takes a
non-const pointer of my |X509_STORE|. Probably, this is because this
function modifies reference counters inside the store, which is
thread-safe provided that locking callbacks are set during
initialization of the library. There should be no other non-const access
to the store, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161102/a1c92ed8/attachment.html>
More information about the openssl-users
mailing list