EVP_PKEY_CTX* Best Practices

Matt Caswell matt at openssl.org
Wed Oct 2 09:19:44 UTC 2019

On 02/10/2019 03:10, Christian Mazakas wrote:
> I'm relatively new to the world of OpenSSL.
> I'm trying to write a QUIC stream class and for that, I need to use the
> EVP_PKEY_CTX and I'm not sure what's the optimal way of scoping instances of
> this context.
> For example, should I have a CTX per Quic connection? Or rather one that's
> shared by many in a thread-safe manner? What's the cost of generating one per
> connection? Are there docs where I can read about this kind of stuff?

There are no hard and fast rules on this as much is going to depend on the
particular application. However EVP_PKEY_CTX creation is not particularly
expensive. As a point of reference libssl creates and destroys these on a
temporary basis per connection. Most likely the overhead of trying to share
these between multiple threads, and the locking that would therefore be
required, is not going to be worth it.


More information about the openssl-users mailing list