Hi,
On Sat, 31 Mar 2001, Ralf S. Engelschall wrote:
> Thanks for the hints, Geoff. How about the following for mod_ssl 2.8.3?
Looks good ... one question:
> Index: ssl_engine_config.c
> ===================================================================
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
> retrieving revision 1.77
> diff -u -d -r1.77 ssl_engine_config.c
> --- ssl_engine_config.c 2001/03/30 10:03:04 1.77
> +++ ssl_engine_config.c 2001/03/31 07:51:25
> @@ -450,7 +450,14 @@
> SSLModConfigRec *mc = myModConfig();
> const char *err;
> ENGINE *e;
> +#if SSL_LIBRARY_VERSION >= 0x00907000
> + static int loaded_engines = FALSE;
>
> + if (!loaded_engines) {
> + ENGINE_load_builtin_engines();
> + loaded_engines = TRUE;
> + }
> +#endif
> if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
> return err;
> if (strcEQ(arg, "builtin")) {
>
Is that "loaded_engines" stuff to get round the braindead double-initialisation
of Apache? If so, yes that works but I don't recall the rest of the code being
wrapped up in any similar one-time-only trickery. The setting of the default
engine should also happen only once, and should happen the before any loading of
keys. Loading and setting of RSA/DSA keys (and certs) should also happen only
once, in case they're not already. BTW: If soft restarts are supposed to make it
possible to change the SSLCryptoDevice through a config-file edit, then I
suspect that code may need to be added and checked to cover against memory leaks
and other things.
Eg. even if mod_ssl starts using a different engine during a HUP (or whatever),
the old engine may still have dangling references that prevent it from unload
any shared libraries it depends on. As a result, it may be impossible for
example to upgrade an ENGINE's shared-library driver by simply switching to the
"software" engine for a few seconds. It would require you bring down all the
httpd processes (including the parent) before the shared-libraries would be
properly unloaded - ie. even if the file-system lets you replace the
shared-library file, a soft restart back to the original ENGINE will not load
the new shared-library, it will stick with the one it still had loaded from
before.
Let me know if this is important, or even relevant - I don't follow Apache's
initialisation and restart scheme nearly well enough to see if HUPs and restarts
even apply to any of this. If it does, I'll help fix this up if you can give me
some pointers about mod_ssl ...
Cheers,
Geoff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
