Is there memory leak or other bad impact if initialize SSL_CTX* object many times?

[lclfans]

Hi SSL experts,
i have below user case in TCP/SSL server：
1）first, create a SSL_CTX object like below: SSL_CTX* ssl_ctx= SSL_CTX_new(SSLv23_method()); this object only create one time
2) then, when there is a TLS connecting request from client, TLS server will initialize this ssl_ctx with different certificate and CA file, like below:
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | unsupport_vermasks);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_cipher_list(ssl_ctx, cipher_string);
SSL_CTX_load_verify_locations(ssl_ctx, CAfile, NULL);
SSL_CTX_set_verify(ssl_ctx, auth_mode, 0);
SSL_CTX_set_verify_depth(ssl_ctx, verify_depth);
SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, privatekey_passwd);
SSL_CTX_set_default_passwd_cb(ssl_ctx, 0);
SSL_CTX_use_PrivateKey_file(ssl_ctx, privatekey_file, SSL_FILETYPE_PEM);

NOTE: step 2) will occur many times, because we want to use different Certificate.pem and Calist.pem files for different clients.

could you help analyze if there are some issues for our openssl usage? for example, if there is memory leak or other bad impacts?

thanks very much.

[t8m]

The problem is what happens with pre-existing SSL * connections after you change the underlying SSL_CTX. For some of the settings in SSL_CTX that are copied into the SSL object on creation it is not a problem but for some others you're changing them under for the pre-existing SSL connections.

[t8m]

So generally speaking this is not a good idea. You should not change the SSL_CTX for which any pre-existing SSL objects exist.

[lclfans]

the pre-existing SSL objects will still be used by existing connections. once the connections are closed by client, the pre-existing SSL objects will be free.

with our product design, it's hard to create new SSL_CTX object for each client. Is this usage possible if it is the only option?

[mattcaswell]

Almost all of these calls have an SSL_* equivalent. So SSL_CTX_set_options has SSL_set_options. So if you really need to customise these things on a per connection basis then you should use the SSL_* forms instead. Don't change the underlying SSL_CTX once it has been used to create a connection.