[Devel] [ openser-Patches-1464264 ] support for TLS client
domains (name based and socket based)
Dan Pascu
dan at ag-projects.com
Thu Apr 6 15:13:00 CEST 2006
On Thursday 06 April 2006 15:56, Klaus Darilion wrote:
> Dan Pascu wrote:
> > Not necessarily (see above). The new configuration can be loaded,
> > contexts computed and when available all you have to do is to commute
> > a pointer to the new configuration (assuming the whole tls config is
> > kept in a structure referenced by a pointer). This pointer change is
> > an atomic operation. After this the old tls config can be discarded
> > and the transition will be atomic and instantaneous for all worker
> > processes.
>
> I think for ongoing TLS connections the existing SSL contexts may not
> be deleted. I'm not an expert on this, but as Jan and Andrei found some
> issues I thought there will be some issues.
well, each SSL context (which I will assume is represented by a structure
in memory) can have attached a reference count. Each time a call uses a
SSL context will increment this reference count and when it stops using
it will decrement the reference count.
Then when you reload and go to delete the old contexts only the ones that
have a reference count = 0 will be actually deleted, the rest will
survive and be deleted when their reference count reaches 0 after the
connections that use them release them when done. Basically the delete
context function will be replaced by a DECREF() function which decrements
the reference counter and calls the real delete only if that counter
reached 0.
--
Dan
More information about the Devel
mailing list