I dipped into the problem and came to the conclusion that this proposal cannot
be used as a general one.
First, although the ctrl number could be passed in the directive itself, for
example "engine:pkcs11:205:slot_0-id_00", where 205 corresponds to
CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200
I support the base idea to load certificates from engines but
CMD_LOAD_CERT_CTRL ('LOAD_CERT_CTRL') seems not defined in openssl, it is an
engine specific functionality. Is that the only way?
And secondly, i can not imagine that you can not get a certificate from your
hardware prior nginx run,
> In my opinion it would be better to have nginx working with engines in both
> scenarios.
> And is not a problem to call ENGINE_init() from multiple places, since the
> API takes care of this case.
I'll check these statements in your next patch, but for now it seems an odd
functionality to
The original patch was tested on the same setup:
http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
Do you insist that it does not work in the current state?
___
nginx-devel mailing list
nginx-devel@nginx.org
Typically engines initialize themselves in bind(), if not, they are initialized
by openssl.cnf ("default_algorithms"), why use "init = 0" in your openssl
config and rely this openssl engine stuff to nginx?
___
nginx-devel mailing list