httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Wed, 23 Oct 2013 14:48:22 GMT
On 23/10/2013 15:30, Kaspar Brand wrote:
> On 22.10.2013 22:04, Dr Stephen Henson wrote:
>> Only bit I'm not completely sure about is the use of the SSL_CONF_CTX structure
>> in modssl_ctx_t. It's done that way to avoid having to keep creating and
>> destroying the SSL_CONF_CTX for each directive but a quick test showed it was
>> creating several other SSL_CONF_CTX structures which were never used.
> 
> Right now, the SSL_CONF_CTX_* handling is in ssl_init_ctx_protocol,
> which is called once for each vhost (and each vhost has its own
> modssl_ctx_t), so the change you applied with r1534754 doesn't really
> change much as far as the SSL_CONF_CTX structure handling is concerned,
> I think. To prevent unnecessary SSL_CONF_CTX structures from being
> created, it should be sufficient to enclose that block with an "if
> (mctx->ssl_ctx_param->nelts > 0)" condition, IINM.
> 

Well the handling remains in ssl_init_ctx_protocol but now an SSL_CONF_CTX with
appropriate flags is created in moddssl_ctx_init. That is done because a valid
SSL_CONF_CTX is needed to call SSL_CONF_cmd_value_type in
ssl_cmd_SSLOpenSSLConfCmd.

So my thought was (if unnecessary SSL_CONF_CTX creation is a problem) change the
modssl_ctx_init to just set mctx->ssl_ctx_config to NULL and instead create a
new SSL_CONF_CTX in ssl_cmd_SSLOpenSSLConfCmd if mctx->ssl_ctx_config is NULL.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message