Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B837C1058A for ; Sun, 1 Dec 2013 13:06:11 +0000 (UTC) Received: (qmail 48524 invoked by uid 500); 1 Dec 2013 13:06:03 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 48225 invoked by uid 500); 1 Dec 2013 13:06:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 48217 invoked by uid 99); 1 Dec 2013 13:06:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Dec 2013 13:06:02 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS,T_HK_NAME_DR X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [195.8.89.35] (HELO claranet-outbound-smtp02.uk.clara.net) (195.8.89.35) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Dec 2013 13:05:56 +0000 Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:37422 helo=[192.168.7.9]) by relay12.mail.eu.clara.net (relay.clara.net [81.171.239.32]:10465) with esmtpa (authdaemon_plain:drh) id 1Vn6iM-0006qD-8P for dev@httpd.apache.org (return-path ); Sun, 01 Dec 2013 13:05:34 +0000 Message-ID: <529B341C.40100@opensslfoundation.com> Date: Sun, 01 Dec 2013 13:05:32 +0000 From: Dr Stephen Henson Organization: The OpenSSL Foundation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c References: <20131130074428.24B8123889ED@eris.apache.org> <82967C5B-FDDD-4F26-B2FA-74F68941AC5C@sharp.fm> In-Reply-To: <82967C5B-FDDD-4F26-B2FA-74F68941AC5C@sharp.fm> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 30/11/2013 11:54, Graham Leggett wrote: > > I've picked the pkcs11 support apart in openssl to discover that there are > really two engines at work, the "dynamic" engine capable of loading engines > from dynamic libraries, and then the "pkcs11" engine which is just an > implementation that happens to be (if you use opensc anyway) loadable as a > dynamic library (this will be obvious to an openssl developer but wasn't > obvious to me from the documentation I've read to date, which doesn't make > clear that two engines are at work, or where the one engine begins and the > other ends). > Well normally the dynamic ENGINE doesn't matter because it is handled transparently behind the scenes. If you lookup an ENGINE called "pkcs11" it will first look in its internal table. If that fails it attempts to use the dynamic ENGINE to load an ENGINE from an appropriate directory with an appropriate name. The precise location depends on how OpenSSL is configured but it might for example try to load "/usr/local/ssl/engines/libpkcs11.so". If that fails you get an error. It's only if you want to load an ENGINE manually that you have to worry about the dynamic ENGINE. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shenson@opensslfoundation.com