Thread: fork_process.c and OpenSSL
I think this falls into the feature request category. fork_process handles forking on *nix. OpenSSL is not fork safe on the child side. I seem to recall Nico Williams traced it back to non-safe async signal handling and the the in-ability to replace the locks safely. See http://wiki.openssl.org/index.php/Libcrypto_API#Fork_Safety. In this case, they guys are recommending posix_spawn. ********** fork_process finishes with the following: #ifdef USE_SSL RAND_cleanup(); #endif It great to see the attention to detail. RAND_cleanup may be heavier-weight than needed because it could discard current generator state. In this case, if the state was good before the fork, its probably good after the fork. So all that should be needed is to mix in additional entropy to diversify states. To mix in additional entropy (without discarding state), all that is needed is a call to RAND_poll. See http://wiki.openssl.org/index.php/Random_fork-safety. Ben Laurie pushed a patch recently that might be of interest. It mixes in the PID and Time from a high-res timer (if available) rather than discarding state. See https://github.com/openssl/openssl/commit/3cd8547a2018ada88a4303067a2aa15eadc17f39.
On 11/13/13, 10:52 AM, Jeffrey Walton wrote: > I think this falls into the feature request category. > > fork_process handles forking on *nix. Given that the current setup has worked more or less for a very long time, it's hard to get enthusiastic about making nonspecific changes on less than air-tight evidence. We need to support many OpenSSL versions on many platforms and many configurations. Again, if you think there is an improvement to be made, please send specific patches with references or performance measurements.