Paul Querna wrote:
Then the API is broken.OpenSSL and GnuTLS both allow 'double' initialization, as long as they are also deinitiilzed the same number of times, just like APR does too.What I propose to do to fix this for v2.4 and beyond is write a simple module mod_crypto whose job it is to initialise the user's chosen crypto(s) at most once, and serve as a parent module to mod_ssl and any other crypto module that wants to play.Make the API authors fix their APIs, don't add another module.
I suspect we are 12 years too late on this particular issue. While the httpd project certainly is well known, I would be pressed to think that Microsoft or NSS will change their long established APIs on our account.
If OpenSSL does support double initialisation (this capability isn't mentioned in the OpenSSL API), then the problem is reduced to modules using NSS or CAPI only, which means that the scope of the initialisation module would reduce to modules using the crypto abstraction layer only, and mod_ssl can be left alone.
This does sound like a cleaner approach. Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
