1dc6ddde06
1. With `MBEDTLS_SSL_PROTO_TLS1_2` not enabled, the mbedTLS code was not able to connect to any server due to broken logic in curl's `mbed_set_ssl_version_min_max()`. Now it correctly sets the minimum supported TLS version based on what is compiled in the library. 2. If debugging is enabled, move the debugging enabling earlier in the `mbed_connect_step1()` so that verbose errors are actually displayed if failures happen (see the previous point -- it would've made debugging that issue easier). 3. Remove the constant `mbedtls_x509_crt_profile_fr` and instead use mbedTLS-included profile `mbedtls_x509_crt_profile_next` with `mbedtls_ssl_conf_cert_profile()`. This will follow the latest standards as new mbedTLS versions are released (rather than being stuck-in-time until someone comes along to fix what was hard-coded here). This has the immediate benefit of no longer supporting SHA1 certs and insecure RSA key-lengths (1024). This fix immediately prevents previously possible MITM attacks (SHA1 hashes and RSA-1024 keys can be forged relatively easily by nation-state actors and criminal organizations with deep-pockets). 4. Added [predictive resistance](https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-a-random-generator/#enabling-prediction-resistance) to the random number generator (adding more entropy to the RNG). 5. Split the random number generator into initialization, the actual random generation, and the "freeing" of the resources. This significantly reduces the overhead of using the RNG. 6. Removed the separate RNG function in the TLS connect stage (instead use the "main" one) and remove the ad-hoc threading support. Instead properly document how to enable threading in mbedTLS. As it was, other internals of mbedTLS could have race conditions (in the RSA module in particular) if `MBEDTLS_THREADING_C` was *not* enabled. And if it is enabled, then these race-conditions cannot happen. And also, if MBEDTLS_THREADING_C is enabled then the RNG functions [are fully thread-safe](https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading/). So, the previous ad-hoc threading support was both partial and broken. 7. Enable support for disabling `MBEDTLS_PEM_PARSE_C`. 8. Add support for `CURLOPT_SSLCERTTYPE` so user can specify `PEM` or `DER` and get faster execution. Closes #19983
4.9 KiB
c, SPDX-License-Identifier, Title, Section, Source, See-also, Protocol, Added-in
| c | SPDX-License-Identifier | Title | Section | Source | See-also | Protocol | Added-in | ||
|---|---|---|---|---|---|---|---|---|---|
| Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. | curl | libcurl-thread | 3 | libcurl |
|
|
n/a |
NAME
libcurl-thread - libcurl thread safety
Multi-threading with libcurl
libcurl is thread-safe but has no internal thread synchronization. You may have to provide your own locking should you meet any of the thread safety exceptions below.
Handles
You must never share the same handle in multiple threads. You can pass the handles around among threads, but you must never use a single handle from more than one thread at any given time.
Shared objects
You can share certain data between multiple handles by using the share interface but you must provide your own locking and set curl_share_setopt(3) CURLSHOPT_LOCKFUNC and CURLSHOPT_UNLOCKFUNC.
Note that some items are specifically documented as not thread-safe in the share API (the connection pool and HSTS cache for example).
TLS
All current TLS libraries libcurl supports are thread-safe.
OpenSSL
OpenSSL 1.1.0+ can be safely used in multi-threaded applications provided that support for the underlying OS threading API is built-in. For older versions of OpenSSL, the user must set mutex callbacks.
libcurl may not be able to fully clean up after multi-threaded OpenSSL depending on how OpenSSL was built and loaded as a library. It is possible in some rare circumstances a memory leak could occur unless you implement your own OpenSSL thread cleanup.
For example, on Windows if both libcurl and OpenSSL are linked statically to a DLL or application then OpenSSL may leak memory unless the DLL or application calls OPENSSL_thread_stop() before each thread terminates. If OpenSSL is built as a DLL then it does this cleanup automatically and there is no leak. If libcurl is built as a DLL and OpenSSL is linked statically to it then libcurl does this cleanup automatically and there is no leak (added in libcurl 8.8.0).
Please review the OpenSSL documentation for a full list of circumstances: https://docs.openssl.org/3.0/man3/OPENSSL_init_crypto/#notes
mbedTLS
mbedTLS can be used safely in a multi-threaded environment provided that mbedTLS is compiled with MBEDTLS_THREADING_C enabled.
https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
Signals
Signals are used for timing out name resolves (during DNS lookup) - when built without using either the c-ares or threaded resolver backends. On systems that have a signal concept.
When using multiple threads you should set the CURLOPT_NOSIGNAL(3) option to 1L for all handles. Everything works fine except that timeouts cannot be honored during DNS lookups - which you can work around by building libcurl with c-ares or threaded-resolver support. c-ares is a library that provides asynchronous name resolves. On some platforms, libcurl simply cannot function properly multi-threaded unless the CURLOPT_NOSIGNAL(3) option is set.
When CURLOPT_NOSIGNAL(3) is set to 1L, your application needs to deal with the risk of a SIGPIPE (that at least the OpenSSL backend can trigger). Note that setting CURLOPT_NOSIGNAL(3) to 0L does not work in a threaded situation as there is a race condition where libcurl risks restoring the former signal handler while another thread should still ignore it.
Name resolving
The gethostbyname or getaddrinfo and other name resolving system calls used by libcurl are provided by your operating system and must be thread-safe. It is important that libcurl can find and use thread-safe versions of these and other system calls, as otherwise it cannot function fully thread-safe. Some operating systems are known to have faulty thread implementations. We have previously received problem reports on *BSD (at least in the past, they may be working fine these days). Some operating systems that are known to have solid and working thread support are Linux, Solaris and Windows.
curl_global_* functions
These functions are thread-safe since libcurl 7.84.0 if curl_version_info(3) has the CURL_VERSION_THREADSAFE feature bit set (most platforms).
If these functions are not thread-safe and you are using libcurl with multiple threads it is especially important that before use you call curl_global_init(3) or curl_global_init_mem(3) to explicitly initialize the library and its dependents, rather than rely on the "lazy" fail-safe initialization that takes place the first time curl_easy_init(3) is called. For an in-depth explanation refer to libcurl(3) section GLOBAL CONSTANTS.
Memory functions
These functions, provided either by your operating system or your own replacements, must be thread-safe. You can use curl_global_init_mem(3) to set your own replacement memory functions.
Non-safe functions
CURLOPT_DNS_USE_GLOBAL_CACHE(3) is not thread-safe.
curl_version_info(3) is not thread-safe before libcurl initialization.