OpenSSL 1.1 X509_STORE sharing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.1 X509_STORE sharing

admin
Hello,

I have some legacy code that I am updating for 1.1 and there they set
SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary
for the X509_STORE to be shared between contexts?
Note that this still has to be buildable on 1.0 with the same result.
In the docs it says "X509_STORE_free() frees up a single X509_STORE
object." Does it just decrease the reference count or does it really
delete the whole thing and break other contexts?

Thanks,
Maxwell.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1 X509_STORE sharing

Viktor Dukhovni


> On Sep 18, 2018, at 12:12 PM, [hidden email] wrote:
>
> I have some legacy code that I am updating for 1.1 and there they set SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary for the X509_STORE to be shared between contexts?
> Note that this still has to be buildable on 1.0 with the same result.
> In the docs it says "X509_STORE_free() frees up a single X509_STORE object." Does it just decrease the reference count or does it really delete the whole thing and break other contexts?

X509_STORE_free() decrements a reference count, and frees the object only
when the count reaches zero.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1 X509_STORE sharing

Viktor Dukhovni
> On Sep 18, 2018, at 12:30 PM, Maxwell Dreytser <[hidden email]> wrote:
>
>> X509_STORE_free() decrements a reference count, and frees the object only
>> when the count reaches zero.
>>
> Was this behavior the same in older versions?

Yes.

> If so, then there is no reason to clear cert_store even in older version, right?

That depends on whether setting the cert_store element was done properly (in a way
that incremented the reference count) or not.  See the documentation of:

        SSL_CTX_set1_cert_store(3)
        SSL_CTX_set_cert_store(3)

the latter does not facilitate sharing the store across multiple SSL_CTX instances.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1 X509_STORE sharing

Viktor Dukhovni


> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> That depends on whether setting the cert_store element was done properly (in a way
> that incremented the reference count) or not.  See the documentation of:
>
> SSL_CTX_set1_cert_store(3)
> SSL_CTX_set_cert_store(3)
>
> the latter does not facilitate sharing the store across multiple SSL_CTX instances.

Note that SSL_CTX_set1_cert_store(3) is new with OpenSSL 1.1.x.  In OpenSSL
1.0.2, the caller would have to increment the reference count prior to
calling SSL_CTX_cert_store().  The caller typically owns a primary copy of
the store to use when configuring various SSL_CTX objects.  In that case
the primary copy can be freed once the application no longer intends to
use the store to configuring any more SSL_CTX objects.

In OpenSSL 1.1.x there is an X509_STORE_up_ref() function.  In OpenSSL 1.0.2,
you can do that directly via:

   CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);

Bottom line, you need to figure out the life-cycle of the object, and ensure
that reference counts are properly maintained.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users