MAJOR: threads/ssl: Make SSL part thread-safe
First, OpenSSL is now initialized to be thread-safe. This is done by setting 2
callbacks. The first one is ssl_locking_function. It handles the locks and
unlocks. The second one is ssl_id_function. It returns the current thread
id. During the init step, we create as much as R/W locks as needed, ie the
number returned by CRYPTO_num_locks function.
Next, The reusable SSL session in the server context is now thread-local.
Shctx is now also initialized if HAProxy is started with several threads.
And finally, a global lock has been added to protect the LRU cache used to store
generated certificates. The function ssl_sock_get_generated_cert is now
deprecated because the retrieved certificate can be removed by another threads
in same time. Instead, a new function has been added,
ssl_sock_assign_generated_cert. It must be used to search a certificate in the
cache and set it immediatly if found.
diff --git a/include/common/hathreads.h b/include/common/hathreads.h
index 81c2aad..e23b687 100644
--- a/include/common/hathreads.h
+++ b/include/common/hathreads.h
@@ -158,6 +158,8 @@
PEER_LOCK,
BUF_WQ_LOCK,
STRMS_LOCK,
+ SSL_LOCK,
+ SSL_GEN_CERTS_LOCK,
LOCK_LABELS
};
struct lock_stat {
@@ -244,7 +246,7 @@
"TASK_RQ", "TASK_WQ", "POOL",
"LISTENER", "LISTENER_QUEUE", "PROXY", "SERVER",
"UPDATED_SERVERS", "LBPRM", "SIGNALS", "STK_TABLE", "STK_SESS",
- "APPLETS", "PEER", "BUF_WQ", "STREAMS" };
+ "APPLETS", "PEER", "BUF_WQ", "STREAMS", "SSL", "SSL_GEN_CERTS"};
int lbl;
for (lbl = 0; lbl < LOCK_LABELS; lbl++) {