On Fri, Nov 10, 2000 at 11:44:44PM +0100, Richard Levitte - VMS Whacker wrote:
[Description of different locations for different modules deleted.]
> In this case, I'd say ENGINE_PATH would probably be the way to go that
> is reasonably simple to implement.
I consider this as kind of agreement, that the DSO code will be change
accordingly in the (near) future :-) Maybe the environment variable should
have a better name like OPENSSL_ENGINE_PATH, for namespace reasons.
> Lutz.Jaenicke> When OpenSSL is compiled, OPENSSLDIR could be recorded
> Lutz.Jaenicke> and the engine could either go to OPENSSLDIR/lib (as
> Lutz.Jaenicke> the normal openssl libraries, why not?) or into
> Lutz.Jaenicke> OPENSSLDIR/engines (if an extra directory is being
> Lutz.Jaenicke> preferred).
>
> Can't really do that. After all, if someone builds a program on top
> of libcrypto and makes use of the nCipher engine, should he or she,
> upon sending the program to the customer say "Oh, and to be able to
> use this, you have to move /opt/nfast/toolkits/hwcrhk/libnfhwcrhk.so
> to /usr/local/ssl/engine"? I don't think that's entirely fair. Of
> course, there are softlinks, at least under Unix, but I'm not very
> fond of soft ilnks...
So it does not make sense to hardcode a default search path for engines
into OpenSSL (in case OPENSSL_ENGINE_PATH is not set)!?
> Lutz.Jaenicke> In a certain sense I am surprised as this discussion
> Lutz.Jaenicke> only arouse because of the change to the HP-UX special
> Lutz.Jaenicke> behaviour. What about other platforms? How is dynamic
> Lutz.Jaenicke> loading realized there?
>
> With dlopen() and friends, searching along LD_LIBRARY_PATH is the
> default, as I understand it...
This means that dlopen() must only be called with absolute pathnames (this is
what the documentation on my Linux box at home says), otherwise
LD_LIBRARY_PATH (and /etc/ld.so.cache and /usr/lib and /lib) are evaluated
(the latter ones are system settings, so they should be ok from the
security point of view).
Until the change in the DSO code is being done, I think we should leave
the +s switch for HP-UX enabled and have SHLIB_PATH evaluated in order
to make life easier for application devlopers.
(LD_LIBRARY_PATH is evaluated for dlopen() anyhow, so there is no additional
risk involved for SHLIB_PATH.)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]