The code is in tls_domain.c
where d->ctx
is an array of SSL_CTX instead of a single SSL_CTX.
Each worker has a personal copy of the SSL_CTX and uses d->ctx[process_no]
.
In theory for each domain we could use a single SSL_CTX instead of duplicating it max_procs times, so this issue answers the question : Why is d->ctx
an array of the same SSL_CTX instead of a single copy of an SSL_CTX?
The roots of this go back 1.1.1 where OpenSSL removed the ability of CRYPTO_set_id_callback
(from 1.0.2). Then a process could generate a unique ID and "pretend" to be a different thread.
In OpenSSL 1.1.1+ the id is reported using pthread_self()
- while this is unique within a process it is not unique across multiple workers.
Do you refer to the next code block?
* https://github.com/kamailio/kamailio/blob/master/src/modules/tls/tls_mod.c#L451-L471
If yes, as I can see it, the
tls_fix_domains_cfg()
is executed forrank == PROC_SIPINIT
when libssl is >=1.1.x, which means it is done only for the first SIP worker process (with the rank 1).
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.