Question about thread safety and SSL_CTX* and its SSL*
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Sep 27 16:42:48 UTC 2022
On Tue, Sep 27, 2022 at 06:35:47PM +0200, Thomas Bailleux wrote:
> However, I am still facing issues when I use `SSL_CTX` and `SSL` objects.
>
> I use `SSL_CTX` and `SSL` inside a threaded application. Threads are managed using pthread primitives.
>
> Basically, I create a `SSL_CTX`, and I fill it depending on the TLS method.
> At this point, the `SSL_CTX` is final. I never change it again.
>
> Then, I create n `SSL`s from the `SSL_CTX`, and I spawn n pthreads.
> Each pthread takes the ownership of a single `SSL`. Finally, each
> pthread is going to use its `SSL` object for establishing some TLS
> connections. `SSL` objects never get destroyed, instead I use
> `SSL_clear` for kind of recycling them.
Perhaps you're freeing some objects that are owned by the library, or
continuting to use objects that the library owned and freed.
> My question is: Is my app thread safe ? I wonder, because I am facing
> random null deref. If I create a `SSL_CTX` for each thread,
> everything is fine.
What you're doing should work, if implemented correctly, but my advice
is to not use SSL_clear(), rather create a fresh (SSL *) handle for
each connection. These are cheap enough to not warrant recycling.
--
Viktor.
More information about the openssl-users
mailing list