cURL / Mailing Lists / curl-library / Single Mail

curl-library

Thread safe use of openssl with libcurl

From: Dylan Salisbury <dylan_at_tellme.com>
Date: Thu, 5 Aug 2004 13:46:21 -0700

Hello,

 

I've been looking into the issue of thread safety using libcurl and OpenSSL.
This was previously discussed in the thread linked below. I have a
suggestion which basically amounts to documentation changes.

 

http://curl.haxx.se/mail/lib-2003-12/0183.html

 

The main problem is that libcurl with OpenSSL is not as thread safe as the
libcurl documentation suggests, because OpenSSL requires a multi-threaded
application to register locking callbacks. Adding new locking options to
libcurl's share interface is probably not an appropriate solution. This is
because the OpenSSL callbacks are used for all OpenSSL calls made by the
application. Registering them through the share interface would create the
impression that different share handles could have different locking
callbacks, but that is not possible with OpenSSL today.

 

So an application needs to set up its OpenSSL locking callbacks at program
initialization, when curl_global_init is called. The callbacks could be
provided to curl_global_init, but this really doesn't accomplish much. The
only benefit is that it would make users aware of the need to provide
OpenSSL callbacks by causing a compile error if they are not specified.
Even that is a bit of a stretch as non-threaded use does not require the
callbacks. So making curl_global_init aware of the callbacks would involve
adding code that doesn't add any functionality and which may need to be
revised with future versions of OpenSSL.

 

So, I think the best thing to do would be to simply update the documentation
(i.e. http://curl.haxx.se/libcurl/threadsafe.html) to indicate that HTTPS
requests will not be thread safe unless OpenSSL locking callbacks are
written. Here is an OpenSSL page to link to for information on OpenSSL's
required callbacks:

 

http://www.openssl.org/docs/crypto/threads.html

 

It's not difficult to write the necessary callbacks for OpenSSL, and the
OpenSSL distribution includes examples, but the documentation is not as
clear for new users as curl's. So this still an issue that might trip up
curl users who are not familiar with OpenSSL and want a simple way to add
HTTPS functionality to their applications.

 

Dylan Salisbury
Received on 2004-08-05