Hi Colin, On September 19, 2003 01:16 pm, Colin Watson wrote: > On Wed, Sep 17, 2003 at 10:23:46AM -0400, Geoff Thorpe wrote: [snip] > > have time for. If yours arrives on a busy day (or during a period > > when the person who should deal with it is away) then there are good > > chances it will slip by. > > No trouble, I know the drill - just thought I'd send a ping.
Good thing too, otherwise you'd still be waiting :-) > > Mail lists are UDP, the request tracker is TCP, for a tenuous > > analogy. Please submit the patch to RT and let me know the ticket > > number (or have you already done so?); > > http://www.openssl.org/support/rt2.html > > Yep, it got picked up automatically from my initial post. It's #668. Ah, ok - Lutz probably caught it. I've gone and given myself ownership of the ticket, so I should be notified now when anything happens. > > In other words, I think the falling back to software should be > > configurable and should require the blessing of the user or coder. At > > one level, you can expose a control command in the ENGINE to > > configure this, and you could also support an environment variable > > check for "default" behaviour so that precompiled and unconfigurable > > apps can still be "configured" by the user. > > OK, I see the mechanism. Have you any preferences for the environment > variable name (or names - perhaps RSA and modexp fallback should be > configurable separately)? Something starting with "OPENSSL_NCIPHER" would make sense from a namespacing point of view. Beyond that, it's up to you and what you want your hardware customers to see - if it's namespaced unintrusively it doesn't really affect anyone except you and them. My only "requirement" here (I hesitate to use such a draconian word, I'm more flexible than that, really :-) is that openssl's behaviour is to not facilitate smoke and mirrors behind the back of the user or the application - hence making sure you don't "transparently" change the nature of operations without someone or something asking you to. The rest is between you and users of ncipher hardware. Note that from the release of openssl-0.9.8 onwards, I'm hoping you could provide ENGINE implementations directly to your customers as shared-libraries anyway, in which case openssl would have *no* influence over how this works anyway. > > Note, these comments are perhaps in contradiction with the current > > behaviour of one or two ENGINEs already in the source, but that's > > because I haven't had the time to change them and get the appropriate > > people (who have the hardware) to verify the results. > > I was following the lead of the other ENGINEs, indeed. Yup - I might open myself a RT ticket to address this so that I don't forget (again). In fact, if you go about getting this done properly for the ncipher support, I may end up following suit in the others for consistency. NB: As/when you've got another version of the patch ready, please just add it to the ticket and I should get notified. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.openssl.org/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
