[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1837435 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_init.c

Hi Stefan,

On Mon, Aug 6, 2018 at 1:47 PM, stefan@xxxxxxxxxxx <stefan@xxxxxxxxxxx> wrote:
> Yann and Rüdiger, looking at this, I am thinking about how to improve
> mod_md's init of openssl. Basically, if mod_ssl + mod_md is loaded,
> mod_md does not have to do anything, it seems.
> However, there is a slim chance that someone has another ssl module
> (or none?) and what should mod_md do then? I can copy the crypto
> parts of the pre_config and cleanup code, but given the ever
> increasing version number checks...is there a better way?

I'm currently working on changing APR's apu_dso_load() so that it can
work on the given pool (user controlled lifetime) and also
(optionally) init/deinit the lib.
This is needed (I think) for APR's self handling of its DSOs (focusing
on apr_crypto and openssl for now).
With this in e.g. APR 1.7 (at best), we can simply call
apr_crypto_load_lib("openssl") in each module using openssl like we
currently do in trunk (the dynamic linking part in APR trunk is
currently being disputed, so I'm on the DSO way now...).

Anyway we can't mandate APR 1.7 (at best) in httpd, so I was thinking
of copying interesting bits of apu_dso_load() into e.g. ap_dso_load()
(or a more openssl only version of it), so that it works in httpd with
earlier APR versions too.
So we'd configure, build and install something like
"mod_ssl_openssl.so/dll" (itself dynamically linked with
libcrypto/ssl), that is when a module needs it. Thus we'd
ap_dso_load() it in mod_ssl/md/session/... at pre_config time so that
the load/unload and init/deinit work once for all according to the
given pool (usually the same one, pconf).

Would that work for you?
I'm not too far from having something for APR, and expecting the ap_
part to be quite straight forward (and mostly copy/paste).
Possibly something this week, otherwise after my vacations (more about