Oleg Andriyanov Oleg Andriyanov - 1 year ago 68
C Question

Is it safe to share single X509_STORE between multiple threads for verifying certificate?

Use case: I want connections to be accepted and served in a network thread and delegate all certificate checking to another thread (or even thread pool). CA for all certificates to be checked is stored in a single

. Basically, when certificate is received from a client, I create new
, initialize it with a single (say, global)
, and feed a worker thread with a checking routine which calls

The question is, does this kind of thread-sharing of
need any external locking provided by an application?

Particularly, I'm worried because
takes a non-const pointer of my
. Probably, this is because this function modifies reference counters inside the store, which is thread-safe provided that locking callbacks are set during initialization of the library. There should be no other non-const access to the store, right?

jww jww
Answer Source

Is it safe to share single X509_STORE between multiple threads for verifying certificate?

Yes, but with strings attached. The Yes is because OpenSSL provides locks for the store:

openssl-1.0.2h$ grep -IR CRYPTO_LOCK * | grep STORE
crypto/crypto.h:# define CRYPTO_LOCK_X509_STORE          11
crypto/crypto.h:# define CRYPTO_LOCK_STORE               37
crypto/x509/by_dir.c:            CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:            CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);

However, the "strings attached" is you need to manually install the locks, which can be non-trivial. Also see:

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download