EVP_PKEY_CTX* Best Practices

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

EVP_PKEY_CTX* Best Practices

Christian Mazakas
I'm relatively new to the world of OpenSSL.

I'm trying to write a QUIC stream class and for that, I need to use the EVP_PKEY_CTX and I'm not sure what's the optimal way of scoping instances of this context.

For example, should I have a CTX per Quic connection? Or rather one that's shared by many in a thread-safe manner? What's the cost of generating one per connection? Are there docs where I can read about this kind of stuff?

- Chris
Reply | Threaded
Open this post in threaded view
|

Re: EVP_PKEY_CTX* Best Practices

Matt Caswell-2


On 02/10/2019 03:10, Christian Mazakas wrote:
> I'm relatively new to the world of OpenSSL.
>
> I'm trying to write a QUIC stream class and for that, I need to use the
> EVP_PKEY_CTX and I'm not sure what's the optimal way of scoping instances of
> this context.
>
> For example, should I have a CTX per Quic connection? Or rather one that's
> shared by many in a thread-safe manner? What's the cost of generating one per
> connection? Are there docs where I can read about this kind of stuff?

There are no hard and fast rules on this as much is going to depend on the
particular application. However EVP_PKEY_CTX creation is not particularly
expensive. As a point of reference libssl creates and destroys these on a
temporary basis per connection. Most likely the overhead of trying to share
these between multiple threads, and the locking that would therefore be
required, is not going to be worth it.

Matt