SSL_CTX_new() documentation maybe should 1. explain better what a context is, 2. have a note on thread-safety #13703
Description
Currently the SSL_CTX_new() man page has the following info on what a context is:
DESCRIPTION
SSL_CTX_new() creates a new SSL_CTX object as framework to establish TLS/SSL or DTLS enabled connections. An SSL_CTX object is reference counted. Creating an SSL_CTX object for the first time increments the reference count. Freeing it (using SSL_CTX_free) decrements it. When the reference count drops to zero, any memory or resources allocated to the SSL_CTX object are freed. SSL_CTX_up_ref() increments the reference count for an existing SSL_CTX structure.
So what is a context then? Apparently, a framework to establish TLS/SSL or DTLS enabled connections. That however seems unhelpfully vague. OpenSSL's libssl already is what I would consider "a framework to establish TLS/SSL [...] connections." I think the description should explain the exact purpose of the context instead. As far as I can tell, the context is simply a storage object for OpenSSL settings which then will be adhered to by all connections and functions that use this context. This also makes it much clearer on what a good scope for a context is, e.g. one context per app is fine if the app has only one set of settings, otherwise multiple are needed. Nothing of which is indicated by just vaguely describing it as "framework," IMHO.
Also, I can't find any note on thread-safety on this entire man page. What happens if I use SSL_new() in parallel from multiple threads using the same global context at the same time, will that blow up? (Assuming it won't, but I"m not sure.) What happens if I'm changing a setting on the context at the same time, will that blow up? (Assuming it will, but again not sure.) I think these two questions should have a footnote or two on the referenced man page on whether it is supposedly safe to do or not.