On 30 Nov 2013, at 9:44 AM, kbr...@apache.org wrote: > Author: kbrand > Date: Sat Nov 30 07:44:27 2013 > New Revision: 1546693 > > URL: http://svn.apache.org/r1546693 > Log: > Tweaks for SSLOpenSSLConfCmd: > - use cfgMergeArray, and reduce the size of the initial array > - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to > ssl_init_server_ctx (so they are applied after ssl_init_server_certs) > - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case > - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx
A question out of ignorance on my side. Will/can the above directive be able to influence / somehow affect the ENGINE_ctrl_cmd_string() openssl call needed when using dynamic engines in openssl (the "engine -pre" and "-post" options specifically)? I've picked the pkcs11 support apart in openssl to discover that there are really two engines at work, the "dynamic" engine capable of loading engines from dynamic libraries, and then the "pkcs11" engine which is just an implementation that happens to be (if you use opensc anyway) loadable as a dynamic library (this will be obvious to an openssl developer but wasn't obvious to me from the documentation I've read to date, which doesn't make clear that two engines are at work, or where the one engine begins and the other ends). It would be nice to be able to kill-two-birds-with-one-directive if it makes sense to do so (and entirely understand if it doesn't make sense). Regards, Graham --
