[openssl-users] OpenSSL 1.1 X509_STORE sharing

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 18 17:21:25 UTC 2018

> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> That depends on whether setting the cert_store element was done properly (in a way
> that incremented the reference count) or not.  See the documentation of:
> 	SSL_CTX_set1_cert_store(3)
> 	SSL_CTX_set_cert_store(3)
> the latter does not facilitate sharing the store across multiple SSL_CTX instances.

Note that SSL_CTX_set1_cert_store(3) is new with OpenSSL 1.1.x.  In OpenSSL
1.0.2, the caller would have to increment the reference count prior to 
calling SSL_CTX_cert_store().  The caller typically owns a primary copy of
the store to use when configuring various SSL_CTX objects.  In that case
the primary copy can be freed once the application no longer intends to
use the store to configuring any more SSL_CTX objects.

In OpenSSL 1.1.x there is an X509_STORE_up_ref() function.  In OpenSSL 1.0.2,
you can do that directly via:

   CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);

Bottom line, you need to figure out the life-cycle of the object, and ensure
that reference counts are properly maintained.


More information about the openssl-users mailing list