At 10:00 AM 12/11/02 +0100, Richard Levitte - VMS Whacker wrote: >In message <[EMAIL PROTECTED]> on Wed, 11 Dec 2002 08:56:19 +0000, Bertie <[EMAIL PROTECTED]> said: > >bertie> Yep, this solution works if you are an application developer >bertie> wanting to use chil engine. This is not much help if you are >bertie> say an Apache user who wanted to use an nCipher HSM to protect >bertie> their Apache keys - They will get your error message but won't >bertie> be able to fix the problem, they will phone nCipher support >bertie> and we'll end up giving them a patch to apply. > >And I assume application author will be notified (for what we >discussed, that would be the Apache team and Ralf (author of mod_ssl), >right?), or are you skipping that kind of step?
No absolutely not, I guess the issue is how many commonly used multithreaded openssl apps are there out there that will need to be notified, and how responsive are they. I don't really know the answer to this but if it is just Apache2 then helping Apache2 implement the dynlock upcalls is a reasonable solution. >We could ask Ralf to take a peek at that as soon as possible and make >sure dynamic lock callbacks are provided. He *is* part of the OpenSSL >dev team, after all... That's definitely useful, I would be interested to know how Ralf get's on implementing the dynlock upcalls in mod_ssl without having a context in dynlock_create_upcall, I couldn't see a nice way to do it, but then I am not very familiar with the apache code. >We still have the problem with older versions of the applications, but >I presume that if the users can upgrade OpenSSL, they can also upgrade >other parts of the system... Is that too tough a presumption? No, we can't escape this problem, there is no way that applications using the 0.9.6 API can hope to make use of the chil engine. Bertie ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
