Hello,
> > > In my opinion it would be better to have nginx working with engines in
> > > both scenarios.
> > > And is not a problem to call ENGINE_init() from multiple places, since
> > > the API takes care of this case.
> >
> > I'll check these statements in your next patch, but for now it
> > seems an odd functionality to me, because we have openssl config
> > and even nginx ssl_engine directive for that.
>
> Note that the "ssl_engine" directive is not to initialize engines,
> but rather to register an engine as the default one for operations it
> supports. It is designed to make it possible to work with various
> SSL accelerators.
I believe this patch does not affect the "ssl_engine" directive anymore.
I removed everything I could to make the patch minimal. And changed the log
message to be more specific.
I will send the other changes in a new thread.
The patch follows:
# HG changeset patch
# User Anderson Toshiyuki Sasaki <ansas...@redhat.com>
# Date 1524841096 -7200
# Fri Apr 27 16:58:16 2018 +0200
# Node ID f5b0a791092224ff5d3eaf4da9a95e6018e7235f
# Parent 46c0c7ef4913011f3f1e073f9ac880b07b1a8154
SSL: Add ENGINE_init() call before loading key.
It is necessary to call ENGINE_init() before using an OpenSSL engine
to get the engine functional reference. Without this, when
ENGINE_load_private_key() is called, the engine is still unitialized.
diff -r 46c0c7ef4913 -r f5b0a7910922 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Apr 25 14:57:24 2018 +0300
+++ b/src/event/ngx_event_openssl.c Fri Apr 27 16:58:16 2018 +0200
@@ -527,6 +527,13 @@
return NGX_ERROR;
}
+ if (!ENGINE_init(engine)) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_init(engine) failed");
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
