How to duplicate a SSL_CTX object in a TLS application?

Question

I am having a application in. c that uses openssl for TLS v1.2 implemention.

The application shall open multiple remote connections to remote server running with the same version of TLS. I have a single set of key, certificate and CA_certificate to be used for all connections.

I need to maintain the SSL_CTX object for each client separately. But, I wish to create a single global SSL_CTX context object and configure it once for the following:

• SSL_CTX_set_ecdh_auto()
• SSL_CTX_use_certificate_file()
• SL_CTX_use_PrivateKey_file()
• SSL_CTX_set_verify()
• SSL_CTX_set_options()
• SSL_CTX_load_verify_locations
• SSL_CTX_set_verify_depth()

And then, for each connections initiated by the application, I can duplicate (make a copy) of the above configured context ctx and call SSL_new() directly, without going through the listed steps over and over for each client.

Does Openssl provide any function to duplicate the SSL_CTX object? If not is there any other safe way to do so? like memcpy() etc.

Answer 1

SSL_CTX has a counting reference. It means it will be freed when its reference counts reaches zero.

So rather than copying SSL_CTX, just increase its reference by SSL_CTX_up_ref() and use same object. As a result, your code will be something like this:

SSL_CTX *g_ssl_ctx = nullptr;
//...
//init g_ssl_ctx 
//...
SSL_CTX *get_client_ctx() {
    SSL_CTX_up_ref(g_ssl_ctx);
    return g_ssl_ctx;
}