On Tue, Sep 18, 2007, Pierre-Yves Ritschard via RT wrote: > On Tue, 18 Sep 2007 15:44:46 +0200 (CEST) > "Ben Laurie via RT" <[EMAIL PROTECTED]> wrote: > > > According to our records, your request has been resolved. If you have > > any further questions or concerns, please respond to this message. > > I don't agree with this, as steve stated in a previous email: > > > Instead of relying on file based SSL functions you can instead rely on > > structure based ones using X509, EVP_PKEY et al. > > > > You'd load the structures outside the jail and keep them hanging > > around inside. > > > > Then when you need to reload you just pass the necessary structures. > > Here is the reply I sent: > > There's no reliable way to pass these structures on a AF_UNIX socket > since I don't know their internals (without pulling in header files I'm > not supposed to) and there are other pointers in the X509 and related > structs. >
Well if you really wanted to you could pass their encoding using i2d_X509() and d2i_X509() at the other end but that's not the cleanest way. > If you guys think its still achievable without changing openssl, then > fine. I really don't see a clean way without breaking the API though. > At least there is no documented way of doing this without API violation > unless I missed something. > Well other than the new error codes you are largely making use of documented functions in OpenSSL so that the whole functionality could be implemented (with few changes) outside the ssl library at an application level. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
