2

I've searched on google and bing, openssl faq, some API man-pages, no hints found.

Is this a historical problem, or a deliberated design?

Link
  • 118
  • 6

2 Answers2

4

Think of SSL_CTX as a factory for making SSL objects. SSL connections are only handled by SSL objects. However they can have many settings. Rather than duplicate this every time you want a new SSL object you create an SSL_CTX with all the settings in it up front, and then you can create as many SSL objects as you like with those settings already there. You can of course still choose to set things up at an individual SSL object level if you so wish.

Matt Caswell
  • 8,167
  • 25
  • 28
-1

To add to Matt Caswell's answer, the reasoning behind the 'factory' model of design also lies in the way that server POSIX sockets are implemented. With a server implementation, you first create a socket and 'bind' it to a particular port on your machine (such as port 443, which is standard for TLS connections). From there, it can 'listen' for incoming connections by clients. The program then repeatedly call accept(), which blocks until a new connection comes in and returns a new file descriptor representing the connection to that individual client. The program might pass that file descriptor to another thread or do something else to enable multiple connections to be dealt with at the same time.

Now, if the OpenSSL library only had the SSL object and not SSL_CTX, then the program would have to reconfigure all the settings it wants to use for that SSL object every single time the server accepts a new client connection. Think of the overhead that would generate for every connection--having to load in the server certificate and private key from a file, as well as configuring all the possible settings (of which there are many in OpenSSL) would cost quite a bit of time. To solve this, the SSL_CTX can have all of those settings loaded up and ready to transfer to an SSL object whenever a new connection is accepted. In essence, it simplifies the code and drastically cuts down the overhead on every connection made.

For more info, see the OpenSSL Wiki's server implementation - https://wiki.openssl.org/index.php/Simple_TLS_Server

The code isn't up to date with the most recent version of OpenSSL, but it conveys the usefulness of the SSL_CTX pretty well.

Nathaniel Bennett
  • 11
  • 1