From c5ed0e65b2530443b1367986dac2b3da111c0701 Mon Sep 17 00:00:00 2001
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 11 Jan 2024 08:03:07 +0800
Subject: [PATCH] tls: historical code comment on repeating SSL_CTX per worker

(cherry-pick from 29007ada5bc9e07ede3cdbce285f04d1298c0612)
---
 src/modules/tls/tls_mod.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 7cad1b046e4..beaf1b7b70b 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -433,6 +433,16 @@ static int tls_engine_init();
 int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
 #endif
 
+/*
+ * OpenSSL 1.1.1+: SSL_CTX is repeated in each worker
+ *
+ * OpenSSL RSA blinding works in single-process multi-threaded mode
+ * and depends on pthread_self() to separate threads. In Kamailio multi-process workers
+ * pthread_self() will not necessarily be unique, this will result in incorrect BN
+ * operations—hence we create a separate SSL_CTX for each worker
+ *
+ * EC operations do not use pthread_self(), so could use shared SSL_CTX
+ */
 static int mod_child(int rank)
 {
 	if(tls_disable || (tls_domains_cfg == 0))