[prev in list] [next in list] [prev in thread] [next in thread] List: openssl-users Subject: Re: Possibility to cache ca-bundle and reuse it between SSL sessions? From: Jens Maus <mail () jens-maus ! de> Date: 2014-06-27 7:56:17 Message-ID: BDC06BF8-7794-456F-81C3-D92E06C8CFF6 () jens-maus ! de [Download RAW message or body] On 2014-06-25 at 22:22, Michael Wojcik <Michael.Wojcik@microfocus.com> wrote: [] > > But if two or more parallel SSL connections > > are initiated you would AFAICS require a unique index variable per running > > SSL*. > > No, that's not how it works. You need one index value per item to be stored in a \ > given SSL object. You have one item to store - a pointer to your application data - \ > in each SSL object. You'll use the same index value for that item in each SSL \ > object. Thank you very much Michael. That was the final comment that made me fully understand \ where you want to pointed me at. I really first thought I need a unique index for \ each SSL* object, but as you said, I only need to call SSL_get_ex_new_index() once \ upon application startup and just save that single index in a global variable and \ then use it with the SSL_set_ex_data() call I execute when initiating a new SSL \ negotiation. To finalize this mail thread and make sure if someone stumbles over it via google, \ allow me to add an URL to the sources of the mail client I have now implemented the \ SSL negotiation as you have suggested: http://yam.ch/browser/trunk/src/tcp/ssl.c?rev=8113#L1053 And for the ones not wanting to read foreign source code, I will summarize our \ findings in some pseudo code: cut here int globalAppDataIndex; SSL_CTX *globalSSLctx; int verify_callback() { SSL *ssl = X509_STORE_CTX_get_ex_data(x509_ctx, \ SSL_get_ex_data_X509_STORE_CTX_idx()); void *app_data = SSL_get_ex_data(ssl, \ globalAppDataIndex); /* do something on app_data */ [] } void makeSSLconnection() { void *app_data = malloc(); /* fill app_data with connection specific data */ [] SSL *ssl = SSL_new(globalSSLctx); SSL_set_ex_data(ssl, globalAppDataIndex, app_data); SSL_set_fd(ssl, socket); SSL_connect(ssl); /* perform SSL secured connection */ [] } void InitSSL() { [] globalSSLctx = SSL_CTX_new(); globalAppDataIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); SSL_CTX_load_verify_locations(globalSSLctx, ); SSL_CTX_set_default_verify_paths(globalSSLctx); SSL_CTX_set_verify(globalSSLctx, SSL_VERIFY_PEER, verify_callback); [] } void main() { /* run InitSSL() only once */ InitSSL(); /* create multiple, parallel (multithreaded) connections */ for(int i=0; i < numConnections; i++) { /* create socket and perform tcp connection */ [] /* init the SSL negotiation */ makeSSLConnection(); } [] } cut here This pseudo code should allow to load a ca-bundle or all types of certificates via \ SSL_CTX_load_verify_locations() once at application startup via keeping a single \ SSL_CTX* object throughout the whole lifetime of the application. At the same time it \ comes with a verify_callback and shows how to forward own application specific data \ using SSL_set_ex_data() to the verify callback function. So thanks to anyone involved in this thread. The final solution is really now more \ optimized and allows to perform SSL connections way faster. best regards, jens -- Jens Maus, Dresden/Germany http://jens-maus.de/ (Please note a real name change effective since 5.9.2013. Former name: Jens Langner) *** Content is authentic only with digital signature *** ["smime.p7s" (smime.p7s)] 0 *H 010 + 0 *H ]0!0 k0 *H 010 UIL10U StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \ Primary Intermediate Client CA0 130828034626Z 140828152131Z0>10Umail@jens-maus.de1 0 *H mail@jens-maus.de0"0 *H 0 a lۍeIJp&/$ܝK-Ö*dli2 C"k\ g],ί#$Ýq(js&~/T=I3<X$]mx pNJ Jkl$%@Qt;8jfDW~ɞt]r7pQ6z~:۰І{NôPnTeqJW F`ZO% p_z=FFWg( \ Zf{ 00 U0 0U0U%0++0U \ ڃP@I5L7</0U#0Sr풜\|~5NԸQ0U0mail@jens-maus.de0LU \ C0?0;+70*0.+"http://www.startssl.com/policy.pdf0+00' \ StartCom Certification Authority0This certificate was issued according to the \ Class 1 Validation requirements of the StartCom CA policy, reliance only for the \ intended purpose in compliance of the relying party obligations.06U/0-0+ ) \ '%http://crl.startssl.com/crtu1-crl.crl0+009+0-http://ocsp.st \ artssl.com/sub/class1/client/ca0B+06http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0http://www.startssl.com/0 *H X!z|m(eA~=PbdDħ#D8D)\B(Fl 5VA!emML>Hxk zrq`;$*-,V ̩Q,^Dh:cr% SO6viR;^rw|)Ijگ+qW)&CpaUkrE@.rIf^yh\3| \ 4hkPx/^zNla040 0 *H 0}10 UIL10U StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom \ Certification Authority0 071024210155Z 171024210155Z010 UIL10U StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \ Primary Intermediate Client CA0"0 *H 0 -).2AUGo#G B|NDRpM-B=o-we5JQpa>O.# ._<V [~**pz~3WG .ᘟMlr[<Ce6fqO"uxfWN#uic \ gkv$Lb%y`_{`xK'GN 00U00U \ 0USr풜\|~5NԸQ0U#0N@[i04hCA0f+ \ Z0X0'+0http://ocsp.startssl.com/ca0-+0!http://www.startssl.com/sfsca.crt0[UT0R0' \ % #!http://www.startssl.com/sfsca.crl0' % \ #!http://crl.startssl.com/sfsca.crl0U \ y0w0u+70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0 *H }x,\c^#wMq}>UK/^yX֏y \ frMIŲB61ymQҨݬZ0&