[Devel] [ openser-Patches-1464264 ] support for TLS client domains
(name based and socket based)
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Apr 6 15:32:59 CEST 2006
Dan Pascu wrote:
> On Thursday 06 April 2006 15:56, Klaus Darilion wrote:
>> Dan Pascu wrote:
>>> Not necessarily (see above). The new configuration can be loaded,
>>> contexts computed and when available all you have to do is to commute
>>> a pointer to the new configuration (assuming the whole tls config is
>>> kept in a structure referenced by a pointer). This pointer change is
>>> an atomic operation. After this the old tls config can be discarded
>>> and the transition will be atomic and instantaneous for all worker
>>> processes.
>> I think for ongoing TLS connections the existing SSL contexts may not
>> be deleted. I'm not an expert on this, but as Jan and Andrei found some
>> issues I thought there will be some issues.
>
> well, each SSL context (which I will assume is represented by a structure
> in memory) can have attached a reference count. Each time a call uses a
> SSL context will increment this reference count and when it stops using
> it will decrement the reference count.
>
> Then when you reload and go to delete the old contexts only the ones that
> have a reference count = 0 will be actually deleted, the rest will
> survive and be deleted when their reference count reaches 0 after the
> connections that use them release them when done. Basically the delete
> context function will be replaced by a DECREF() function which decrements
> the reference counter and calls the real delete only if that counter
> reached 0.
This is were Andrei had some concerns about the reference counter - if
you can be sure that the reference counter is correct in any
circumstances. I think this is one of the reasons he is implementing the
atomic locks for ser.
btw: do you also read serdev? Because then you probably know it already ;-)
regards
klaus
More information about the Devel
mailing list