Hello! On Tue, Dec 07, 2021 at 03:01:40PM -0500, Bradley Hess wrote:
> Hello Maxim, > > Ah, well that explains why a patch like this has never been upstreamed, > even though it exists in a bunch of places on teh interwebz. Sorry, > I didn't do enough archeology here. > > I didn't realize the `init = 1` workaround existed, so thanks for the > pointer there. However, it would be ideal if users could use OpenSSL's > dynamic engine loading, and avoid authoring an OpenSSL config file. > > From the description in the issue you linked, it looks like the patch was > removed for OpenSSL 1.0.x compatibility. Would you accept a patch that > supplies the init/finish directives only if the OpenSSL version >= 1.1.0? > > At this point many distros have OpenSSL 1.1 and a fixed PKCS #11 engine; > for example, the patch I submitted worked smoothly with OpenSSL 1.1 and the > PKCS #11 engine available on Debian 11, and without any engine config. As outlined in the message I linked, at least Ubuntu 18.04 ships OpenSSL 1.1.x but an old pkcs11 engine, so the patch will result in segfaults even if restricted to OpenSSL 1.1.x. As far as I understand, that's still the case. Note well that engines are deprecated in OpenSSL 3.0. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel