Using single EVP_PKEY instance across multiple connections

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Using single EVP_PKEY instance across multiple connections

Barbe, Charles
Hi,

I have an implementation of a multi-threaded HTTP server that I wrote using OpenSSL version 1.0.1g. Currently, on initialization of the server, I load my private key from disk and store it in an EVP_PKEY pointer. Whenever I accept a new connection, I use that same pointer to an EVP_PKEY in my call to SSL_CTX_use_PrivateKey. Is that safe or should I be copying my EVP_PKEY for each connection?

Thanks!

Charles A. Barbe
Senior Software Engineer
Allworx, a Windstream company
245 East Main St | Rochester NY | 14604
[hidden email] | 585.421.5565
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Using single EVP_PKEY instance across multiple connections

Barbe, Charles
To expand on this question a little more, is it safe to just create one SSL_CTX* at initialization of my server that will be used each time a new client connects when i do SSL_new(ctx)?


Charles A. Barbe
Senior Software Engineer
Allworx, a Windstream company
245 East Main St | Rochester NY | 14604
[hidden email] | 585.421.5565

________________________________________
From: [hidden email] [[hidden email]] on behalf of Barbe, Charles [[hidden email]]
Sent: Friday, June 27, 2014 4:18 PM
To: [hidden email]
Subject: Using single EVP_PKEY instance across multiple connections

Hi,

I have an implementation of a multi-threaded HTTP server that I wrote using OpenSSL version 1.0.1g. Currently, on initialization of the server, I load my private key from disk and store it in an EVP_PKEY pointer. Whenever I accept a new connection, I use that same pointer to an EVP_PKEY in my call to SSL_CTX_use_PrivateKey. Is that safe or should I be copying my EVP_PKEY for each connection?

Thanks!

Charles A. Barbe
Senior Software Engineer
Allworx, a Windstream company
245 East Main St | Rochester NY | 14604
[hidden email] | 585.421.5565
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using single EVP_PKEY instance across multiple connections

Dr. Stephen Henson
On Sun, Jun 29, 2014, Barbe, Charles wrote:

> To expand on this question a little more, is it safe to just create one
> SSL_CTX* at initialization of my server that will be used each time a new
> client connects when i do SSL_new(ctx)?
>

Yes it is. That's how most servers are written.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Using single EVP_PKEY instance across multiple connections

Salz, Rich
In reply to this post by Barbe, Charles
> To expand on this question a little more, is it safe to just create one SSL_CTX*
> at initialization of my server that will be used each time a new client connects
> when i do SSL_new(ctx)?

Yes.

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using single EVP_PKEY instance across multiple connections

Jeffrey Walton-3
In reply to this post by Barbe, Charles
On Sun, Jun 29, 2014 at 1:58 PM, Barbe, Charles
<[hidden email]> wrote:
> To expand on this question a little more, is it safe to just create one SSL_CTX* at initialization of my server that will be used each time a new client connects when i do SSL_new(ctx)?
>
Yes.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]