[geoff - Mon Jul 5 07:13:59 2004]: > > On the other hand, it might be desirable to build openssl libs that > perform this autoconfiguration every time they're used, rather than just > for applications that see fit to call it. This came up in a chat with > Steve some time back (he was the one that did the config-module work), > though I don't know whether anything ended up in there to let you > hard-code config-loading into the openssl libs. If not, it was probably > just for lack of a conviction of whether it was worth doing, or for lack > of a preferred mechanism/semantic for it. Steve, can you comment? >
It can be defined on a per application basis using the preprocessor symbol OPENSSL_LOAD_CONFIG. See: http://www.openssl.org/docs/crypto/OPENSSL_config.html OPENSSL_config() then gets called automatically when OPENSSL_add_all_algorithms() is called. There were problems in finding an appropriate mechanism with existing applications. There's no guaranteed way of calling the function at the correct time or its cleanup function. It was felt that there were potential security implications if OPENSSL_config() was called automatically by any application linked to OpenSSL: since an ENGINE can run arbitrary code. So, as the docs suggest, OPENSSL_config() is a bit of a compromise. An application that wants finer control should call the config module functions directly. As it stands in OpenSSL 0.9.7/0.9.8 OPENSSL_config() allows applications with minimal or no ENGINE awareness (or knowledge of other configuration methods) to load ENGINEs and do various other tasks (currently adding ASN1 OIDs) without having to know anything about what is going on. The ENGINE config module also allows ctrl commands to be sent to an ENGINE before and after loading or initialization: very few applications currently support this. In future the config-module mechanism may well support much more extensive options so its a good idea for new applications (or new versions of existing applicationc) to call the config-module code. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
