On Thu, Nov 22, 2007 at 02:40:40PM +0000, Joe Orton wrote: > > +#if HAVE_DECL_EVP_PKEY_CTX_NEW > > + /* load certs */ > > + data->sslCtx = SSL_CTX_new(SSLv23_server_method()); > > Again dead code, and weird code - why mess with an SSL_CTX if doing > encryption?
Ah, I missed the ssl.m4 change. The apr_evp_factory_create() interface is just poor API design. Instead of having the "purpose" enum and a single function which ignores half the arguments depending on which "purpose" is used, have two separate functions. The "engine" argument seems completely unused and undocumented, also. All the SSL_CTX seems to be used for is to read PEM-format files, which is massive overkill; "man PEM". As with the existing SSL code there is absence of consideration of how to handle the OpenSSL error stack and abstracting errors; at least clearing it after failure would be the minimal acceptable if there are no errors which need to be distinguished in the API. joe
