Redis (tls) thread callbacks required with old version of OpenSSL (<1.1), a threa

See HIREDIS_USE_CRYPTO_LOCKS in hiredis, I think the code from there could be brought over tls.c, in initTLS.

/**
 * OpenSSL global initialization and locking handling callbacks.
 * Note that this is only required for OpenSSL < 1.1.0.
 */

cc @yossigo

Comment From: yossigo

@bsergean Thanks for that! I wonder, did you experience any issue with this? Asking because IIRC there's no multi-threaded use of OpenSSL in Redis. Modules could introduce that, which by itself is a good reason to add that.

Comment From: bsergean

No I didn't experience anything, I was adding the callbacks in my own lib and remembered about redis new tls support, and the 9 million things that can go wrong when you setup openssl :) (now that I think about it there's something called SNI which is good to setup, to work better with reverse proxy that share an address). SSL_set_tlsext_host_name

I've used the curl source code as a reference for things to setup, you never know if something is required or optional. (here is 'my openssl file' for reference if this can be helpful -> https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocketOpenSSL.cpp https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocketOpenSSL.cpp)

I believe that it cannot be a problem right now, because there's an explicit note in the TLS readme that multi-threading isn't supported yet, but in preparation for the future ...

Ciao, - Benjamin

On May 10, 2020, at 3:28 AM, Yossi Gottlieb notifications@github.com wrote:

@bsergean https://github.com/bsergean Thanks for that! I wonder, did you experience any issue with this? Asking because IIRC there's no multi-threaded use of OpenSSL in Redis. Modules could introduce that, which by itself is a good reason to add that.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/antirez/redis/issues/7210#issuecomment-626305731, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC2O6UMK2ZCAL5JMWN2QQLTRQZ6THANCNFSM4M23UKMQ.

Comment From: yossigo

@bsergean Oh there are even more things that can go wrong with OpenSSL once you consider different versions, compile options, config files, etc...

Anyway added PR #7230 for this, while it's not very likely to be an issue I'd rather be safe than sorry and avoid rare unexplained crashes.

As for SNI, I don't think it will be very useful on the server side given the nature of Redis and the fact it doesn't have the concept of virtual servers. You may still of course use SNI in any intermediate proxy/load balancer and redis-cli does support it on the client side.