On 2/3/2012 12:27 PM, Dr Stephen Henson wrote: > Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist > which > make use of it. > > So there is a possibility that the some chain verification leaves a reference > to > an RSA key which prevents the ENGINE from closing down completely. > > In engines/e_chil.c try commenting out the line containing > ERR_load_HWCRHK_strings(). > > Only side effect of doing that is you will only get numerical error codes and > not error strings. > > Steve.
I will try that on Monday. This is a good tip, though, and gives me an avenue to explore! Thanks! On 2/3/2012 1:41 PM, Sander Temme wrote: > Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup > function pointer... I forget which OpenSSL version got that fix but in any > case RH only recently backported it. > > I'm sure I didn't test with any proxy config at the time. Correct,sir. I am compiling and packaging for three platforms from the latest sources available - I do all of my testing with two-way proxy authentication. This recent test was openssl 1.0.0g but the behavior is observed also in 0.9.8t. I am certain that this is an issue only when using SSLProxyMachineCertificateChainFile (currently in trunk and proposed for backport in 2.2) with an engine. -- Daniel Ruggeri
