httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
Date Sat, 30 Nov 2013 11:54:17 GMT
On 30 Nov 2013, at 9:44 AM, wrote:

> Author: kbrand
> Date: Sat Nov 30 07:44:27 2013
> New Revision: 1546693
> URL:
> Log:
> Tweaks for SSLOpenSSLConfCmd:
> - use cfgMergeArray, and reduce the size of the initial array
> - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to
>  ssl_init_server_ctx (so they are applied after ssl_init_server_certs)
> - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case
> - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx

A question out of ignorance on my side. Will/can the above directive be able to influence
/ somehow affect the ENGINE_ctrl_cmd_string() openssl call needed when using dynamic engines
in openssl (the "engine -pre" and "-post" options specifically)?

I've picked the pkcs11 support apart in openssl to discover that there are really two engines
at work, the "dynamic" engine capable of loading engines from dynamic libraries, and then
the "pkcs11" engine which is just an implementation that happens to be (if you use opensc
anyway) loadable as a dynamic library (this will be obvious to an openssl developer but wasn't
obvious to me from the documentation I've read to date, which doesn't make clear that two
engines are at work, or where the one engine begins and the other ends).

It would be nice to be able to kill-two-birds-with-one-directive if it makes sense to do so
(and entirely understand if it doesn't make sense).


View raw message