Shouldn't no-pinshared be the default?

Tomas Mraz tmraz at
Tue Mar 5 17:05:32 UTC 2019

On Tue, 2019-03-05 at 16:00 +0100, Yann Ylavic wrote:
> On Tue, Mar 5, 2019 at 2:47 PM Tomas Mraz <tmraz at> wrote:
> > 
> Why? Distros know better than the applications they run?

They actually do, because applications cannot really know whats deep in
the chain of loaded shared libraries - for example getpwnam() can load
libnss_ldap which can load libldap which can load libssl. And the
application has no idea about what is your nsswitch.conf config.

> Since we are here, why OPENSSL_cleanup() exists and is public in the
> first place, and why no-pinshared or OPENSSL_INIT_NO_ATEXIT?

Yes, having the public OPENSSL_cleanup() to be anything else than no-op 
is probably a mistake. 

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-users mailing list