### Description
During OpenSSL 1.1.1 integration it was necessary to use per-worker SSL_CTX —instantiated
in `tls/tls_mod.c`. This is still required for OpenSSL 3.x integration.
This is a retrospective root cause analysis of why this duplicated SSL_CTX is needed.
#### Reproduction
1. Instead of creating repeating SSL_CTX (one-per-worker) have all workers use a single
SSL_CTX
2. Observation: intermittent connection failures
3. Observation: if `tls` is using only EC keys, the connections will succeed
#### Root Cause Analysis
OpenSSL RSA BN operations are multi-threaded ready (can be used in single-process
multi-threaded applications). However the BN operations depend crucially on each thread
reporting different `pthread_self()` values. At runtime `pthread_self()` values can be
reused and are only different for all running threads in a single process.
When rank 0 forks the worker processes their `pthread_self()` values will overlap. This
will result in invalid BN computations and lead to failure of RSA connections. In a sense
the workers perform “identify theft”.
There is no mechanism in pthreads to reset the thread ids; they are opaque handles.
In contrast, OpenSSL ECDSA operations do not invoke `pthread_self()` and do not require
unique thread IDs.
Notes
- no action is required; this is purely a historical note
- I have added a code comment:
https://github.com/kamailio/kamailio/commit/29007ada5bc9e07ede3cdbce285f04d…
- I will leave this issue up for a few days knowledge sharing
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3709
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3709(a)github.com>