[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Possibility to cache ca-bundle and reuse it between SSL sessions?
From:       Jens Maus <mail () jens-maus ! de>
Date:       2014-06-27 7:56:17
Message-ID: BDC06BF8-7794-456F-81C3-D92E06C8CFF6 () jens-maus ! de
[Download RAW message or body]

On 2014-06-25 at 22:22, Michael Wojcik <Michael.Wojcik@microfocus.com> wrote:

[�]
> > But if two or more parallel SSL connections
> > are initiated you would AFAICS require a unique index variable per running
> > SSL*.
> 
> No, that's not how it works. You need one index value per item to be stored in a \
> given SSL object. You have one item to store - a pointer to your application data - \
> in each SSL object. You'll use the same index value for that item in each SSL \
> object.

Thank you very much Michael. That was the final comment that made me fully understand \
where you want to pointed me at. I really first thought I need a unique index for \
each SSL* object, but as you said, I only need to call SSL_get_ex_new_index() once \
upon application startup and just save that single index in a global variable and \
then use it with the SSL_set_ex_data() call I execute when initiating a new SSL \
negotiation.

To finalize this mail thread and make sure if someone stumbles over it via google, \
allow me to add an URL to the sources of the mail client I have now implemented the \
SSL negotiation as you have suggested:

http://yam.ch/browser/trunk/src/tcp/ssl.c?rev=8113#L1053

And for the ones not wanting to read foreign source code, I will summarize our \
findings in some pseudo code:

� cut here �
int globalAppDataIndex;
SSL_CTX *globalSSLctx;

int verify_callback(�)
{
  SSL *ssl = X509_STORE_CTX_get_ex_data(x509_ctx, \
SSL_get_ex_data_X509_STORE_CTX_idx());  void *app_data = SSL_get_ex_data(ssl, \
globalAppDataIndex);

  /* do something on app_data */
  [�]
}

void makeSSLconnection()
{
  void *app_data = malloc();
  
  /* fill app_data with connection specific data */
  [�]

  SSL *ssl = SSL_new(globalSSLctx);
  SSL_set_ex_data(ssl, globalAppDataIndex, app_data);
  SSL_set_fd(ssl, socket);
  SSL_connect(ssl);
  
  /* perform SSL secured connection */
  [�]
}

void InitSSL()
{
  [�]
  globalSSLctx = SSL_CTX_new(�);
  globalAppDataIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
  SSL_CTX_load_verify_locations(globalSSLctx, �);
  SSL_CTX_set_default_verify_paths(globalSSLctx);
  SSL_CTX_set_verify(globalSSLctx, SSL_VERIFY_PEER, verify_callback);
  [�]
}

void main(�)
{
  /* run InitSSL() only once */
  InitSSL();

  /* create multiple, parallel (multithreaded) connections */
  for(int i=0; i < numConnections; i++)
  {
    /* create socket and perform tcp connection */
    [�]

    /* init the SSL negotiation */ 
    makeSSLConnection();
  }

  [�]
}
� cut here � 

This pseudo code should allow to load a ca-bundle or all types of certificates via \
SSL_CTX_load_verify_locations() once at application startup via keeping a single \
SSL_CTX* object throughout the whole lifetime of the application. At the same time it \
comes with a verify_callback and shows how to forward own application specific data \
using SSL_set_ex_data() to the verify callback function.

So thanks to anyone involved in this thread. The final solution is really now more \
optimized and allows to perform SSL connections way faster.

best regards,
jens
-- 
Jens Maus, Dresden/Germany
http://jens-maus.de/

(Please note a real name change effective since 5.9.2013.
Former name: Jens Langner)

*** Content is authentic only with digital signature  ***


["smime.p7s" (smime.p7s)]

0�	*�H��

 �0�

10	+0�	*�H��


 �]0�!0�	 
k�0
	*�H��


0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \
Primary Intermediate Client CA0 130828034626Z
140828152131Z0>10Umail@jens-maus.de1 0	*�H��

	
mail@jens-maus.de0�
"0
	*�H��



�
0�

�

�a�lۍe����IJp���&��/���$ܝ���K�-�Ö��*dli�2
�C�"k\
g],����ί��#�$�Ýq�(��j�s�&~���
/�T=I3<�X$�]mx
p�NJ�	Jkl�$���%�@��Q�t;8j�f�D�W�~ɞ���t]��r7�pQ��6z�~:�۰����І{NôPnT�eq�JW���F�`ZO��%��
 �p����_z=��������F�FWg��( \
�Z�f�{

���0��0	U00U�0U%0+
+
0U \
�ڃ�P�@I5�L�7�<�/0U#0�Sr풜���
\|~�5N�ԸQ�0U0�mail@jens-maus.de0�
LU \
�
C0�
?0�
;+

��7
0�
*0.+

"http://www.startssl.com/policy.pdf0��+
0��0' \
StartCom Certification Authority0

��This certificate was issued according to the \
Class 1 Validation requirements of the StartCom CA policy, reliance only for the \
intended purpose in compliance of the relying party obligations.06U/0-0+ ) \
'�%http://crl.startssl.com/crtu1-crl.crl0��+


��009+
0
�-http://ocsp.st \
artssl.com/sub/class1/client/ca0B+
0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0�http://www.startssl.com/0
 	*�H��


�

���X��!z|��m(���e�A�~���=���Pbd�Dħ��#D8D�)\B���(�F�l 
5V��A��!�e��m�ML�>Hxk��� ��zr����q�`;$*�����-�,V	�̩Q,^�Dh:�c����r��%
��SO6v��i�R;���^r��w|)��I�j�گ��+q�W��)&���C��paU�k�rE��@.rI���f^��y�h\�3�����| \
4hkP�x/�^�zNl����a0�40� 

0 	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom \
Certification Authority0 071024210155Z
171024210155Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \
Primary Intermediate Client CA0�
"0 	*�H��



�
0�

�

�	���-��)�.����2����A�UG��o��#G�
�B|N�D�����Rp�M-��B��=o���-�we�5��J�Qpa>O��.�#���� �.���_�<���V��
[~�*��*�p�z��~�3�W�G�.ᘟ����Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c \
gk��v$����Lb�%�������y��`�����_�{`���xK'G�N��

��
�0�
�0U

�0

�0U \


�
0USr풜���
\|~�5N�ԸQ�0U#0�N��@[�i�0�4hC�A��0f+


 \
Z0X0'+
0
�http://ocsp.startssl.com/ca0-+
0�!http://www.startssl.com/sfsca.crt0[UT0R0' \
% #�!http://www.startssl.com/sfsca.crl0' % \
#�!http://crl.startssl.com/sfsca.crl0��U \
y0w0u+

��7

0f0.+

"http://www.startssl.com/policy.pdf04+

(http://www.startssl.com/intermediate.pdf0
 	*�H��


�

�}x�,\�c�^��#wM�q�}��>UK/��^y��X֏y	� \
��f�rMIŲ�B6�1ymQ󸟆�ҨݬZ���0���&��;�@��#13qۑ��&	��̢����
��o�	6�r��_��;�GO>*I�(	7�4���XS1r3��)!�LJ�y��6Ko����tˆ#
 _�w�S�r���
�;�B
A�Dp�(f��s�������䰷6%�����.W0J3�:b�C�<�8t \
X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1��5���zU��P)��(���I��j��VB��! \
����OfI=b
��b�\4�-*em��/нSJm�7���N�����[�]'��@ڽ��D9�Kr>���R��7/��|�o���^I@�ټ'��Pa$ \
z��9�a'L�)��(� �I��}v��c H]�۸�D��� *�W�}
m�>Q����|�C.�(,�l��Q�1�o0�k

0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \
Primary Intermediate Client CAk�0	+ �
�0	*�H�� 
	1	*�H��


0	*�H��

	1
140627075618Z0#	*�H��

	1����T ԋ�A�CX	O���0��	+

�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \
Primary Intermediate Client CAk�0��*�H�� 
	1�� ��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 \
Primary Intermediate Client CAk�0 	*�H��



�
p�^E����I�ݜ_�D��a7P������o`���#9㒹yQ����߀6:����������R \
8�����t���|A�6i��:&N
I�4}�@�T��gDi���{}���  \
z�;�/�P�����S���[���������%��� �u���9�
aB9o#�K����W��0�i����G�yۯG_���P� \
�N�?9@(!�mÈ�ev��&���w��c�E�̫ �]1 <����%�
e�8"�St��


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]