On 23.10.2013 16:48, Dr Stephen Henson wrote: > Well the handling remains in ssl_init_ctx_protocol but now an SSL_CONF_CTX > with > appropriate flags is created in moddssl_ctx_init. That is done because a valid > SSL_CONF_CTX is needed to call SSL_CONF_cmd_value_type in > ssl_cmd_SSLOpenSSLConfCmd. > > So my thought was (if unnecessary SSL_CONF_CTX creation is a problem) change > the > modssl_ctx_init to just set mctx->ssl_ctx_config to NULL and instead create a > new SSL_CONF_CTX in ssl_cmd_SSLOpenSSLConfCmd if mctx->ssl_ctx_config is NULL.
Ah, ok, I was missing the point of SSL_CONF_CTX now being necessary in ssl_cmd_SSLOpenSSLConfCmd. Creating it on first use then seems like a reasonable approach. Perhaps it would also make sense to free SSL_CONF_CTX in ssl_init_ctx_protocol after having called SSL_CONF_CTX_finish (as was done before r1534754)? Kaspar