<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><br>It seems that hunchentoot (which uses CL+SSL) is crashing under threaded<br>concurrent SSL access [1] and it doesn't seem that it is using CL+SSL <br>incorrectly. Is this a known problem, and is there some way to <br>determine if it is CL+SSL or Hunchentoot?<br><br><br>Also, I think that in cl+ssl/ffi.lisp<br><br>(cffi:defcfun<br> ("SSL_CTX_use_RSAPrivateKey_file" ssl-ctx-use-rsa-privatekey-file)<br> :int<br> (ctx ssl-ctx)<br> (type :int))<br><br>may be incorrect because the C definition is <br>int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);<br><br><br>hence it seems it should be:<br><br>(cffi:defcfun<br> ("SSL_CTX_use_RSAPrivateKey_file" ssl-ctx-use-rsa-privatekey-file)<br> :int<br> (ctx ssl-ctx)<br> (file :string) ;; this is missing<br> (type :int))<br><br><br>This won't change much, because this function does not seem to be used.<br><br><br>I found this out in trying to figure out why concurrent ssl was crashing Hunchentoot.<br>I learned that SSL_use_certificate_file should perhaps be avoided [3] because<br><br> "If you are assigning many SSL sessions to the same CTX structure and all <br> sessions will use the same certificate, issue the SSL_CTX_use_certificate_file <br> function once to assign the certificate to the CTX structure rather than issuing <br> the SSL_use_certificate_file once for each SSL session."<br><br>so it is arguable that CL+SSL is not doing what is advised. But I don't think<br>that this is what is causing the crashes, because I tried hacking it load the <br>certs into the CTX once, and it still failed (but didn't coredump any more, just <br>had some fraction of failed SSL connections - weird).<br><br><br>(Also, it appears that the docs to libssl don't guarantee that parameter<br>strings like 'file' are not saved, meaning one would have to call with a malloc'ed <br>C-string, not a temporary lisp-to-C string, but in fact it seems that the value<br>of file is used then discarded, so it is OK as-is. Malloc'ing 'file' didn't prevent hunchentoot<br>from crashing.)<br><br><br>[1] <a href="http://common-lisp.net/pipermail/tbnl-devel/2011-March/005503.html">http://common-lisp.net/pipermail/tbnl-devel/2011-March/005503.html</a><br><br>[2] <a href="http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html">http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html</a><br><br>[3] <a href="http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtpc2/cpp_ssl_ctx_use_rsaprivatekey_file.html">http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtpc2/cpp_ssl_ctx_use_rsaprivatekey_file.html</a><br><br><br>- John Klein</body></html>