Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
On 30.11.2013 12:54, Graham Leggett wrote: A question out of ignorance on my side. Will/can the above directive be able to influence / somehow affect the ENGINE_ctrl_cmd_string() openssl call needed when using dynamic engines in openssl (the engine -pre and -post options specifically)? Steve is probably the best person to answer this, but in my view, SSLOpenSSLConfCmd is meant to expose the SSL_CONF API, and should not be used to mix in ENGINE API things, too. SSLOpenSSLConfCmd is basically a per-SSL_CTX thing, i.e. per-vhost SSL stuff. ENGINE(s) shouldn't have to be configured at the vhost level, hopefully (cf. the current SSLCryptoDevice directive, which is server config context only). Kaspar
Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
On 01/12/2013 11:16, Kaspar Brand wrote: On 30.11.2013 12:54, Graham Leggett wrote: A question out of ignorance on my side. Will/can the above directive be able to influence / somehow affect the ENGINE_ctrl_cmd_string() openssl call needed when using dynamic engines in openssl (the engine -pre and -post options specifically)? Steve is probably the best person to answer this, but in my view, SSLOpenSSLConfCmd is meant to expose the SSL_CONF API, and should not be used to mix in ENGINE API things, too. Well at present there is no ENGINE interface for SSL_CONF. As pointed out it isn't a good fit for general ENGINE configuration but it could be updated in future to support ENGINE based private keys. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
On 30/11/2013 11:54, Graham Leggett wrote: I've picked the pkcs11 support apart in openssl to discover that there are really two engines at work, the dynamic engine capable of loading engines from dynamic libraries, and then the pkcs11 engine which is just an implementation that happens to be (if you use opensc anyway) loadable as a dynamic library (this will be obvious to an openssl developer but wasn't obvious to me from the documentation I've read to date, which doesn't make clear that two engines are at work, or where the one engine begins and the other ends). Well normally the dynamic ENGINE doesn't matter because it is handled transparently behind the scenes. If you lookup an ENGINE called pkcs11 it will first look in its internal table. If that fails it attempts to use the dynamic ENGINE to load an ENGINE from an appropriate directory with an appropriate name. The precise location depends on how OpenSSL is configured but it might for example try to load /usr/local/ssl/engines/libpkcs11.so. If that fails you get an error. It's only if you want to load an ENGINE manually that you have to worry about the dynamic ENGINE. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
On 30 Nov 2013, at 9:44 AM, kbr...@apache.org wrote: Author: kbrand Date: Sat Nov 30 07:44:27 2013 New Revision: 1546693 URL: http://svn.apache.org/r1546693 Log: Tweaks for SSLOpenSSLConfCmd: - use cfgMergeArray, and reduce the size of the initial array - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to ssl_init_server_ctx (so they are applied after ssl_init_server_certs) - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx A question out of ignorance on my side. Will/can the above directive be able to influence / somehow affect the ENGINE_ctrl_cmd_string() openssl call needed when using dynamic engines in openssl (the engine -pre and -post options specifically)? I've picked the pkcs11 support apart in openssl to discover that there are really two engines at work, the dynamic engine capable of loading engines from dynamic libraries, and then the pkcs11 engine which is just an implementation that happens to be (if you use opensc anyway) loadable as a dynamic library (this will be obvious to an openssl developer but wasn't obvious to me from the documentation I've read to date, which doesn't make clear that two engines are at work, or where the one engine begins and the other ends). It would be nice to be able to kill-two-birds-with-one-directive if it makes sense to do so (and entirely understand if it doesn't make sense). Regards, Graham --