Hi,

I apologize for posting to the wrong mailing list. I've just subscribed
to curl-library ML.

I support the curl_global_init() solution you propose, it makes a lot of
sense and AFAIK would follow the guidelines from OpenSSL.

Regards,

Tanguy

-----Original Message-----
From: curl-users-bounces_at_cool.haxx.se
[mailto:curl-users-bounces_at_cool.haxx.se] On Behalf Of Daniel Stenberg
Sent: 29 July 2009 16:18
To: the curl tool
Cc: libcurl hacking
Subject: Re: Incorrect OpenSSL usage and thread-safety issues in
Curl_ossl_seed

On Wed, 29 Jul 2009, Tanguy Fautre wrote:

I consider this topic better suited for the libcurl list, so I'm cc'ing
my
reply over there.

> As far as LibCurl is concerned, the problem comes from Curl_ossl_seed
that
> contains a non-thread-safe static initialization. See ssluse.c, line
270 to
> 276.
>
> Further down the stack, ossl_seed() calls RAND_screen(). Now
apparently
> RAND_screen is not thread-safe either. See the discussion on OpenSSL
> mailing list for more info.
> http://marc.info/?l=openssl-dev&m=124838339302787&w=2

Blargh. :-( I do think they could've mentioned at least something about
that
fact in their documentation.

Since we do have lots of seeding stuff based on options on the handle, I

figure we should start with simply moving the RAND_screen() call to the
Curl_ossl_init() function, which gets called from curl_global_init()
(which is
known and documented to not be thread-safe).

Wouldn't that be good enough?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html