Hello,
> Typically engines initialize themselves in bind(), if not, they are
> initialized by openssl.cnf ("default_algorithms"), why use "init = 0" in
> your openssl config and rely this openssl engine stuff to nginx?
Following the OpenSSL documentation, the application is responsible for
initializing the engines.
Some engines, like the engine_pkcs11, rely on this and expects an explicit call
to ENGINE_init().
The engines which initialize themselves, as far as I know, are actually doing a
workaround to avoid the problem with non-compliant applications.
In the specific case of engine_pkcs11, setting the "init" and
"default_algorithms" in openssl.cnf do not initialize the engine.
It would be interesting for nginx to follow the OpenSSL documentation and be
compatible with more engines.
For the specific case of the engine_pkcs11, it is interesting to support it
because it allows using PKCS#11 URIs transparently.
There were efforts in the past ([0], [1], [2]) to improve the support for
PKCS#11 integration with nginx.
[0] http://mailman.nginx.org/pipermail/nginx-devel/2014-November/006188.html
[1] http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006786.html
[2] http://mailman.nginx.org/pipermail/nginx-devel/2015-June/007074.html
Best regards,
Anderson
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
