澄清OpenSSL 0.9.8L并发支持 - SSL实例可以由多个线程使用如果不是并发完成? [英] Clarifying OpenSSL 0.9.8L Concurrency Support - Can SSL Instances Be Used By Multiple Threads If Done Non-Concurrently?
问题描述
我们有一个多线程网络应用程序已使用套接字10年,现在我们正试图通过OpenSSL 0.9.8L保护应用程序。多年来,应用程序的网络协议被设计为利用单个套接字连接的双工性质;应用程序并发读取和写入同一个套接字。应用程序管理底层套接字本身,并通过SSL_set_fd将套接字描述符传递给OpenSSL。
We have a multi-threaded network application that has been using sockets for 10 years and now we're trying to secure the application with OpenSSL 0.9.8L. Over the years, the application's network protocols have been designed to take advantage of the duplex nature of a single socket connection; the application concurrently reads and writes on the same socket. The application manages the underlying socket itself and passes the socket descriptor to OpenSSL via SSL_set_fd.
我们配置OpenSSL支持多线程,设置静态和动态锁定回调。 CRYPTO_set_id_callback(),CRYPTO_set_locking_callback()等。在大多数情况下,应用程序运行良好,但我们看到一些异常。
We configured OpenSSL for multithread support, setting up both the static and dynamic locking callbacks e.g. CRYPTO_set_id_callback(), CRYPTO_set_locking_callback(), etc. For the most part, the application functions well but we're seeing some anomalies. To help us determine the cause, definitive answers to a few questions would help.
OpenSSL常见问题页面指出OpenSSL是线程安全的,但是认为一个单一的 SSL连接不能同时由多个线程使用。
The OpenSSL Frequently Asked Questions page states that OpenSSL is thread safe, but maintains that a single "SSL connection may not concurrently be used by multiple threads."
http://www.openssl.org/support/faq.html#PROG1
- True或False。 OpenSSL连接API调用(SSL_Read,SSL_Write等)可以在同一SSL实例(SSL_new调用返回的指针指向SSL)上同时执行?
- True或False。对于阻止启用SSL_MODE_AUTO_RETRY的套接字,线程A可以调用SSL实例X上的SSL_Read(),而线程B并发调用SSL实例X上的SSL_Write()?
- True或False。当应用程序使用非阻塞套接字并且阻止在同一SSL实例上同时执行SSL_Read和SSL_Write(以及其他连接API调用)时,OpenSSL无错误工作?
- True或False。 SSL_new返回的OpenSSL SSL实例被绑定到调用SSL_new的单线程;绑定意味着SSL实例不能与任何其他线程共享,SSL实例仅对调用SSL_new的线程有效?
- True或False。如果线程A i)调用SSL_new,获得SSL实例X,并且ii)使用SSL实例X调用SSL_Read。如果线程B使用相同的SSL实例X非并发地调用SSL_Read / SSL_Write,则最终将发生失败
- True or False. OpenSSL connection API calls (SSL_Read, SSL_Write, etc.) may execute concurrently on the same SSL instance (pointer-to-SSL returned by a SSL_new call)?
- True or False. For blocking sockets where SSL_MODE_AUTO_RETRY is enabled, thread A can call SSL_Read() on SSL instance X while thread B concurrently calls SSL_Write() on SSL instance X?
- True or False. OpenSSL works error free when an application uses non-blocking sockets and prevents concurrent execution of SSL_Read and SSL_Write (as well as other connection API calls) on the same SSL instance?
- True or False. OpenSSL SSL instance's returned by SSL_new are bound to the single thread which called SSL_new; bound meaning that the SSL instance may not be shared with any other threads, the SSL instance is only valid for use on the thread which called SSL_new?
- True or False. If thread A i) calls SSL_new, obtaining an SSL instance X and ii) calls SSL_Read using the SSL instance X. A failure will eventually occur if thread B non-concurrently calls SSL_Read/SSL_Write using the same SSL instance X?
推荐答案
1.True或False。 OpenSSL连接API调用(SSL_Read,SSL_Write等)可以在同一SSL实例(SSL_new调用返回的指针指向SSL)上同时执行?
1.True or False. OpenSSL connection API calls (SSL_Read, SSL_Write, etc.) may execute concurrently on the same SSL instance (pointer-to-SSL returned by a SSL_new call)?
* False。否,您不能在同一SSL实例上同时使用SSL_read / SSL_write。*
2.True或False。对于阻止启用SSL_MODE_AUTO_RETRY的套接字,线程A可以调用SSL实例X上的SSL_Read(),而线程B并发调用SSL实例X上的SSL_Write()?
2.True or False. For blocking sockets where SSL_MODE_AUTO_RETRY is enabled, thread A can call SSL_Read() on SSL instance X while thread B concurrently calls SSL_Write() on SSL instance X?
* 与上面的答案相同。有或没有SSL_MODE_AUTO_RETRY,您不能同时使用相同的SSL实例X同时执行SSL_read和SSL_write *
3.True或False。当应用程序使用非阻塞套接字并且阻止在同一SSL实例上同时执行SSL_Read和SSL_Write(以及其他连接API调用)时,OpenSSL会无错误地工作?
3.True or False. OpenSSL works error free when an application uses non-blocking sockets and prevents concurrent execution of SSL_Read and SSL_Write (as well as other connection API calls) on the same SSL instance?
True。如果没有并发执行,则OpenSSL对于阻止和非阻止套接字工作正常。
4.True或False。 SSL_new返回的OpenSSL SSL实例被绑定到调用SSL_new的单线程;绑定意味着SSL实例不能与任何其他线程共享,SSL实例仅对调用SSL_new的线程有效?
4.True or False. OpenSSL SSL instance's returned by SSL_new are bound to the single thread which called SSL_new; bound meaning that the SSL instance may not be shared with any other threads, the SSL instance is only valid for use on the thread which called SSL_new?
> False。 SSL实例没有被OpenSSL本身绑定到任何线程。您可以使用在另一个线程中的一个线程中创建的SSL实例,只要在任何一个时间点只有一个线程使用单个SSL实例。
False. The SSL instance is not bound to any thread by OpenSSL itself. You can use the SSL instance created in one thread in another thread as long as only one thread is using a single SSL instance at any one point of time.
5.True或False。如果线程A i)调用SSL_new,获得SSL实例X,以及ii)使用SSL实例X调用SSL_Read。如果线程B使用相同的SSL实例X非并发地调用SSL_Read / SSL_Write,则最终会发生失败。
5.True or False. If thread A i) calls SSL_new, obtaining an SSL instance X and ii) calls SSL_Read using the SSL instance X. A failure will eventually occur if thread B non-concurrently calls SSL_Read/SSL_Write using the same SSL instance X?
False。线程A和线程B都可以使用相同的SSL实例X,因为两者不会对SSL实例X执行并行操作。
False. Both Thread A and Thread B can use the same SSL instance X, as long both don't do concurrent operations on SSL instance X.
这篇关于澄清OpenSSL 0.9.8L并发支持 - SSL实例可以由多个线程使用如果不是并发完成?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
