Shouldn't no-pinshared be the default?
Richard Levitte
levitte at openssl.org
Tue Mar 5 15:42:49 UTC 2019
Tomas Mraz <tmraz at redhat.com> skrev: (5 mars 2019 14:47:18 CET)
>On Tue, 2019-03-05 at 14:16 +0100, Yann Ylavic wrote:
>> On Tue, Mar 5, 2019 at 12:51 PM Matt Caswell <matt at openssl.org>
>> wrote:
>> >
>> > 2) The no-pinshared option does not appear in 1.1.1 or 1.1.1a. It
>> > first appears
>> > in 1.1.1b. Backporting the option was considered ok. But changing
>> > the default
>> > mid-series is probably not a good idea.
>> >
>> > Changing the default could be considered for 3.0.
>>
>> Yes please, as it stands the 1.1 series is unloadable on the most
>> used
>> openssl libraries, distros'. I find this a bit unfortunate, and more
>> #ifdef-ery to come (though I'd like the OPENSSL_INIT_[NO_]UNLOAD one
>> :) ).
>
>But is it in reality at all possible to explicitly unload OpenSSL?
>You're talking here about mod_ssl but what if the OpenSSL is loaded not
>just by mod_ssl but by other shared library loaded into the httpd
>process - for example libkrb5 or libldap. Then you can see what
>disaster can happen if mod_ssl on unload explicitly calls
>OpenSSL_cleanup().
>
>The explicit cleanup is thus simply a no-go in distro-wide use of
>OpenSSL.
It sounds like an allocatable library context that could be used to store all the "global" stuff would be a good thing.
Incidently, we've introduced that concept for 3.0.0. Exactly what will end up in it is not decided, apart from the new provider related stuff.
Cheers
Richard
--
Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.
More information about the openssl-users
mailing list