On 23/10/2013 15:30, Kaspar Brand wrote: > On 22.10.2013 22:04, Dr Stephen Henson wrote: >> Only bit I'm not completely sure about is the use of the SSL_CONF_CTX >> structure >> in modssl_ctx_t. It's done that way to avoid having to keep creating and >> destroying the SSL_CONF_CTX for each directive but a quick test showed it was >> creating several other SSL_CONF_CTX structures which were never used. > > Right now, the SSL_CONF_CTX_* handling is in ssl_init_ctx_protocol, > which is called once for each vhost (and each vhost has its own > modssl_ctx_t), so the change you applied with r1534754 doesn't really > change much as far as the SSL_CONF_CTX structure handling is concerned, > I think. To prevent unnecessary SSL_CONF_CTX structures from being > created, it should be sufficient to enclose that block with an "if > (mctx->ssl_ctx_param->nelts > 0)" condition, IINM. >
Well the handling remains in ssl_init_ctx_protocol but now an SSL_CONF_CTX with appropriate flags is created in moddssl_ctx_init. That is done because a valid SSL_CONF_CTX is needed to call SSL_CONF_cmd_value_type in ssl_cmd_SSLOpenSSLConfCmd. So my thought was (if unnecessary SSL_CONF_CTX creation is a problem) change the modssl_ctx_init to just set mctx->ssl_ctx_config to NULL and instead create a new SSL_CONF_CTX in ssl_cmd_SSLOpenSSLConfCmd if mctx->ssl_ctx_config is NULL. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com