Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fetch reference count for SSL_CTX?
36 views
Skip to first unread message
Jeffrey Walton
Mar 7, 2014, 6:16:33 PM3/7/14
to
I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
1, I'd like to remove it from the cache. (1 means the cache holds the
only copy, so I should be able to remove it and call SSL_CTX_free).
Is it possible to retrieve the reference count on a SSL_CTX?
Thanks in advance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
1, I'd like to remove it from the cache. (1 means the cache holds the
only copy, so I should be able to remove it and call SSL_CTX_free).
Is it possible to retrieve the reference count on a SSL_CTX?
Thanks in advance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Viktor Dukhovni
Mar 8, 2014, 3:52:35 PM3/8/14
to
On Fri, Mar 07, 2014 at 06:16:33PM -0500, Jeffrey Walton wrote:
> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
> 1, I'd like to remove it from the cache. (1 means the cache holds the
> only copy, so I should be able to remove it and call SSL_CTX_free).
>
> Is it possible to retrieve the reference count on a SSL_CTX?
This design is odd. Caches often contain the only copy of something,
> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
> 1, I'd like to remove it from the cache. (1 means the cache holds the
> only copy, so I should be able to remove it and call SSL_CTX_free).
>
> Is it possible to retrieve the reference count on a SSL_CTX?
and expunge the cached object based on some constraint, maximum
time in cache, maximum number of objects cached (LRU policy), and
so on. With such designs you just SSL_CTX_free() the context when
dropping it from the cache, and OpenSSL will free it if the cache
held the last reference.
Why does your cache only hold the object so long as there is at
least one current external reference.
--
Viktor.
Jeffrey Walton
Mar 10, 2014, 11:19:41 AM3/10/14
to
On Sat, Mar 8, 2014 at 3:52 PM, Viktor Dukhovni
<openss...@dukhovni.org> wrote:
> On Fri, Mar 07, 2014 at 06:16:33PM -0500, Jeffrey Walton wrote:
>
>> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
>> 1, I'd like to remove it from the cache. (1 means the cache holds the
>> only copy, so I should be able to remove it and call SSL_CTX_free).
>>
>> Is it possible to retrieve the reference count on a SSL_CTX?
>
> This design is odd. Caches often contain the only copy of something,
> and expunge the cached object based on some constraint, maximum
> time in cache, maximum number of objects cached (LRU policy), and
> so on. With such designs you just SSL_CTX_free() the context when
> dropping it from the cache, and OpenSSL will free it if the cache
> held the last reference.
>
> Why does your cache only hold the object so long as there is at
> least one current external reference.
>
The certificates used are short lived to keep revocation manageable.
<openss...@dukhovni.org> wrote:
> On Fri, Mar 07, 2014 at 06:16:33PM -0500, Jeffrey Walton wrote:
>
>> I'm have a cache of SSL_CTX's. When a SSL_CTX reference count drops to
>> 1, I'd like to remove it from the cache. (1 means the cache holds the
>> only copy, so I should be able to remove it and call SSL_CTX_free).
>>
>> Is it possible to retrieve the reference count on a SSL_CTX?
>
> This design is odd. Caches often contain the only copy of something,
> and expunge the cached object based on some constraint, maximum
> time in cache, maximum number of objects cached (LRU policy), and
> so on. With such designs you just SSL_CTX_free() the context when
> dropping it from the cache, and OpenSSL will free it if the cache
> held the last reference.
>
> Why does your cache only hold the object so long as there is at
> least one current external reference.
>
For testing, that can be as low as hours and minutes. To exercise the
purge functionality during testing, I want to perform the deletes.
I should probably back up: is it OK to provide the same server SSL_CTX
to multiple clients? It looks OK to me becuae the SSL_CTX maintains a
list of SSL_SESSION* for each client. But I don't know about the
non-obvious stuff, and stuff not covered in the books. (And I have not
yet written the test cases because app-level caching is still
malleable).
By the way, does this look right from ssl.h (from 1.0.1f, around line 920):
#ifndef OPENSSL_ENGINE
/* Engine to pass requests for client certs to
*/
ENGINE *client_cert_engine;
#endif
Shouldn't that be "#ifndef OPENSSL_NO_ENGINE"...?
Jeff
0 new messages