Use case: I want connections to be accepted and served in a network thread and delegate all certificate checking to another thread (or even thread pool). CA for all certificates to be checked is stored in a single
Is it safe to share single X509_STORE between multiple threads for verifying certificate?
Yes, but with strings attached. The Yes is because OpenSSL provides locks for the store:
openssl-1.0.2h$ grep -IR CRYPTO_LOCK * | grep STORE crypto/crypto.h:# define CRYPTO_LOCK_X509_STORE 11 crypto/crypto.h:# define CRYPTO_LOCK_STORE 37 crypto/x509/by_dir.c: CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); crypto/x509/by_dir.c: CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); crypto/x509/by_dir.c: CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); crypto/x509/by_dir.c: CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); ...
However, the "strings attached" is you need to manually install the locks, which can be non-trivial. Also see: