Graham Leggett wrote:
Hi all,
Having just finished the next iteration of abstracted crypto support for
APR (currently on apr-util-trunk), a problem has cropped up with the
assumptions made by mod_ssl and mod_nss.
To date, both mod_ssl and mod_nss have made the assumption that they
will be the only crypto modules loaded into the server, and so have
"owned" the task of crypto initialisation.
OpenSSL seems to be tolerant of being initialised twice, and so it has
been possible for mod_ssl, mod_session_crypto and the external
mod_auth_openid to coexist within the same server and this has worked,
but by accident.
The same cannot be said however for NSS - NSS requires that a crypto
database be specified on initialisation, and if two modules tried to
initialise NSS independently of each other, much confusion and
brokenness will result.
Then the API is broken.
OpenSSL and GnuTLS both allow 'double' initialization, as long as they
are also deinitiilzed the same number of times, just like APR does too.
What I propose to do to fix this for v2.4 and beyond is write a simple
module mod_crypto whose job it is to initialise the user's chosen
crypto(s) at most once, and serve as a parent module to mod_ssl and any
other crypto module that wants to play.
Make the API authors fix their APIs, don't add another module.
-Paul
