The code is in `tls_domain.c` where `d->ctx` is an **array of SSL_CTX** instead of a
single SSL_CTX.
Each worker has a personal copy of the SSL_CTX and uses `d->ctx[process_no]` .
In theory for each domain we could use a single SSL_CTX instead of duplicating it
max_procs times, so this issue answers the question : Why is `d->ctx` an array of the
same SSL_CTX instead of a single copy of an SSL_CTX?
The roots of this go back 1.1.1 where OpenSSL removed the ability of
`CRYPTO_set_id_callback` (from 1.0.2). Then a process could generate a unique ID and
"pretend" to be a different thread.
In OpenSSL 1.1.1+ the id is reported using `pthread_self()` - while this is unique within
a process it is not unique across multiple workers.
Do you refer to the next code block?
*
https://github.com/kamailio/kamailio/blob/master/src/modules/tls/tls_mod.c#…
If yes, as I can see it, the `tls_fix_domains_cfg()` is executed for `rank ==
PROC_SIPINIT` when libssl is >=1.1.x, which means it is done only for the first SIP
worker process (with the rank 1).
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3709#issuecomment-1888131406
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3709/1888131406(a)github.com>