[openssl-users] OpenSSL 1.1 X509_STORE sharing
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Sep 18 17:21:25 UTC 2018
> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
> That depends on whether setting the cert_store element was done properly (in a way
> that incremented the reference count) or not. See the documentation of:
>
> SSL_CTX_set1_cert_store(3)
> SSL_CTX_set_cert_store(3)
>
> the latter does not facilitate sharing the store across multiple SSL_CTX instances.
Note that SSL_CTX_set1_cert_store(3) is new with OpenSSL 1.1.x. In OpenSSL
1.0.2, the caller would have to increment the reference count prior to
calling SSL_CTX_cert_store(). The caller typically owns a primary copy of
the store to use when configuring various SSL_CTX objects. In that case
the primary copy can be freed once the application no longer intends to
use the store to configuring any more SSL_CTX objects.
In OpenSSL 1.1.x there is an X509_STORE_up_ref() function. In OpenSSL 1.0.2,
you can do that directly via:
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
Bottom line, you need to figure out the life-cycle of the object, and ensure
that reference counts are properly maintained.
--
Viktor.
More information about the openssl-users
mailing list