The code is in tls_domain.c where d->ctx is an array of SSL_CTX instead of a single SSL_CTX.
Each worker has a personal copy of the SSL_CTX and uses d->ctx[process_no] .

In theory for each domain we could use a single SSL_CTX instead of duplicating it max_procs times, so this issue answers the question : Why is d->ctx an array of the same SSL_CTX instead of a single copy of an SSL_CTX?

The roots of this go back 1.1.1 where OpenSSL removed the ability of CRYPTO_set_id_callback (from 1.0.2). Then a process could generate a unique ID and "pretend" to be a different thread.

In OpenSSL 1.1.1+ the id is reported using pthread_self() - while this is unique within a process it is not unique across multiple workers.

Do you refer to the next code block?

* https://github.com/kamailio/kamailio/blob/master/src/modules/tls/tls_mod.c#L451-L471

If yes, as I can see it, the tls_fix_domains_cfg() is executed for rank == PROC_SIPINIT when libssl is >=1.1.x, which means it is done only for the first SIP worker process (with the rank 1).


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/3709/1888131406@github.com>