git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Emeric Brun <ebrun@haproxy.com>
	Thu, 15 Jun 2017 14:37:39 +0000 (16:37 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 31 Oct 2017 12:58:32 +0000 (13:58 +0100)
commit	821bb9beaa40b4793ad4617fdf4fdab5ad4a4c7b
tree	a5285d093c902207968a19bedfe1725aad643fe0	tree
parent	6b35e9bfbf0f37c8a584c7aabb475afb81b7008c	commit \| diff

MAJOR: threads/ssl: Make SSL part thread-safe

First, OpenSSL is now initialized to be thread-safe. This is done by setting 2
callbacks. The first one is ssl_locking_function. It handles the locks and
unlocks. The second one is ssl_id_function. It returns the current thread
id. During the init step, we create as much as R/W locks as needed, ie the
number returned by CRYPTO_num_locks function.

Next, The reusable SSL session in the server context is now thread-local.

Shctx is now also initialized if HAProxy is started with several threads.

And finally, a global lock has been added to protect the LRU cache used to store
generated certificates. The function ssl_sock_get_generated_cert is now
deprecated because the retrieved certificate can be removed by another threads
in same time. Instead, a new function has been added,
ssl_sock_assign_generated_cert. It must be used to search a certificate in the
cache and set it immediatly if found.

include/common/hathreads.h		diff \| blob \| blame \| history
include/proto/ssl_sock.h		diff \| blob \| blame \| history
include/types/server.h		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history