Hi all, I've just whipped up this patch to the latest (one hopes) version of mod_ssl. It adds a new directive, 'SSLCryptoDeviceCtrl', to supplement the existing directive that hooks the "ENGINE" API of OpenSSL (ie. 'SSLCryptoDevice', without the 'Ctrl' suffix). http://www.geoffthorpe.net/crypto/mod_ssl-2.8.4-1.3.20-control.diff ENGINEs in OpenSSL can support arbitrary commands that "expose" themselves to the framework and application code using it (eg. Apache/mod_ssl). This way, weird hardware (or software) ENGINE plugins can determine the set of commands they expose to allow users/applications to configure them. NB: This support only works with recent snapshots of OpenSSL - certainly no release versions have support for the control-command stuff and older 0.9.7-dev snapshots don't either. Currently, all the OpenSSL ENGINEs support at least the "SO_PATH" command, for controlling where the dynamically loaded vendor library is loaded from. So for example, when using ENGINE 'foo', you can specify a non-default location for the shared library using the following syntax in the config file; SSLCryptoDevice foo SSLCryptoDeviceCtrl SO_PATH:/lib/foo-install/libs/libfoo.so ENGINEs can implement other control commands too (run "openssl engine -vvvv" from a recent snapshot to see what's supported in the available engines). Also, if an engine supports commands that can or should be executed *after* the engine is initialised then you can stick an optional "pre" or "post" parameter after the command string. Normally however, commands are executed prior to initialisation to make it possible to initialise an engine - so "pre" is the default. Eg. if a crypto device supported a command "LOCK" that prevents any futher key-setup and/or interrogation of the crypto device, you could have the Apache initialisation call this command (which we'll assume takes no parameters) after initialisation has happened but before child processes are fork()d and used. Eg. SSLCryptoDevice foo SSLCryptoDeviceCtrl SO_PATH:/lib/foo-install/libs/libfoo.so SSLCryptoDeviceCtrl LOCK post Please CC both me and the list any feedback on the use of this directive so any problems can be resolved before I bug Ralf about including this in a release. :-) Thanks, Geoff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
