[ruby-core:113031] [Ruby master Feature#19553] Document thread-safety of OpenSSL related classes such as OpenSSL::PKey::RSA or OpenSSL::Cipher etc
From:
"rupert (Robert Pankowecki) via ruby-core" <ruby-core@...>
Date:
2023-03-28 13:42:28 UTC
List:
ruby-core #113031
Issue #19553 has been reported by rupert (Robert Pankowecki). ---------------------------------------- Feature #19553: Document thread-safety of OpenSSL related classes such as OpenSSL::PKey::RSA or OpenSSL::Cipher etc https://bugs.ruby-lang.org/issues/19553 * Author: rupert (Robert Pankowecki) * Status: Open * Priority: Normal ---------------------------------------- >From the ruby documentation it is not clear if these objects can be used (i.e. when assigned to a constant) by multiple threads. Especially for the respective encrypting/decrypting method after those objects are fully initialized with keys etc. If you look at what OpenSSL::PKey::RSA#private_encrypt does, it uses RSA_private_encrypt method from openssl: https://www.openssl.org/docs/man1.1.1/man3/RSA_private_encrypt.html . Which also is not documented in relation to thread-safety. The only thing that I found so far about this subject is: > OpenSSL can generally be used safely in multi-threaded applications provided that at least two callback functions are set, the locking_function and threadid_func. Note that OpenSSL is not completely thread-safe, and unfortunately not all global resources have the necessary locks. Further, the thread-safety does not extend to things like multiple threads using the same SSL object at the same time. from https://www.openssl.org/docs/man1.0.2/man3/threads.html which on itself does not help much because: * it is vague (not clear what's the meaning of both "SSL object" and "at the same time") * I do not know if Ruby provides locking_function and threadid_func, perhaps it does https://github.com/ruby/ruby/blob/99d0a257af54aa819c6ced5f1ff8ff37e3d5342b/ext/openssl/ossl.c#L616 ? * I am not sure what's the impact of GIL on all this Looking at how Rails uses OpenSSL related objects, it seems that creating a new instance every time is the recommended approach. Can you confirm? -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- [email protected] To unsubscribe send an email to [email protected] ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/