httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Crypto and initialisation
Date Sat, 13 Sep 2008 10:58:49 GMT
Paul Querna wrote:

> Then the API is broken.
> 
> OpenSSL and GnuTLS both allow 'double' initialization, as long as they 
> are also deinitiilzed the same number of times, just like APR does too.
> 
>> What I propose to do to fix this for v2.4 and beyond is write a simple 
>> module mod_crypto whose job it is to initialise the user's chosen 
>> crypto(s) at most once, and serve as a parent module to mod_ssl and 
>> any other crypto module that wants to play.
> 
> Make the API authors fix their APIs, don't add another module.

I suspect we are 12 years too late on this particular issue. While the 
httpd project certainly is well known, I would be pressed to think that 
Microsoft or NSS will change their long established APIs on our account.

If OpenSSL does support double initialisation (this capability isn't 
mentioned in the OpenSSL API), then the problem is reduced to modules 
using NSS or CAPI only, which means that the scope of the initialisation 
module would reduce to modules using the crypto abstraction layer only, 
and mod_ssl can be left alone.

This does sound like a cleaner approach.

Regards,
Graham
--

Mime
View raw message