Hi there, On February 17, 2004 03:26 pm, Serge Hallyn wrote: > We have a need to use a dynamic OpenSSL engine under apache. The > attached patch (against 2.0.48) directs apache to accept ssl.conf > directives such as: > > SSLCryptoDevice dynamic > SSLCryptoLibpath /usr/local/lib/hw_ibmca.so > SSLCryptoDevID ibmca > > directing openssl to load hw_ibmca.so dynamically as engine id ibmca. > > Is there a fundamental complaint against incorporation of this feature?
Not a fundamental one, but something more aesthetic, yeah :-) I wrote a patch ages ago (that hasn't been updated since) to add more generalised control-command support to Apache. That was for mod_ssl/apache-1.3 though, so it has only illustrative value for now. You can link to the patch and the explanatory email down in the "news" section of; http://www.geoffthorpe.net/crypto/ (yes, another page that hasn't been updated in a while). The idea of control-commands is more general than supplying a shared-library path or an ID, so I think it makes sense to add the more general mechanism if we are going to go this route at all. Eg. your above example would then be; SSLCryptoDevice dynamic SSLCryptoDeviceCtrl SO_PATH:/usr/local/lib/hw_ibmca.so SSLCryptoDeviceCtrl ID:ibmca As another example of where this can go, using HSM keys (or smart-cards, usb-keys, etc) via custom control commands could be entirely supported in this way - without needing to recompile openssl or apache. (An engine can expose control commands to identify and load private keys, and the private key file loaded by Apache could instead contain stub data interpreted by the engine implementation to refer to the HSM keys). It's a bit of an ugly hack, but it works. The point being; the only limit on what you can do from the configuration file is what the engine implementation exposes in the way of control commands - neither apache nor openssl need to be adjusted for each feature. Note also that as of openssl 0.9.8, platforms that have DSO_METHOD support implemented will be able automatically load shared-library engines without any of this. ENGINE_by_id("foo") will attempt to automatically load and bind libfoo.so (dlfcn), "foo.dll" (win32), [etc] from a specific sub-directory of the openssl installation if the "foo" ENGINE doesn't already exist. So if Apache doesn't want to go the route of generalised control commands, they could wait until 0.9.8 is out and then this basic use-case will be available transparently, without any change to what's there now. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/
