> > [EMAIL PROTECTED] - Tue Sep 11 23:09:59 2007]:
> >
> > Hi guys,
> >
> > [as advised on the list, i'm going through rt]
> >
> > I'm writing several privilege separated daemons which rely on
> > openssl and need reload support. What I really need is to be able
> > to create SSL
> > context in jails, SSL_use_chain_certificate_file and friends don't
> > work
> > in such an environment as the certificate files are usually owned by
> > root outside the jail.
> >
> > All _file function call BIO_new then set the underlying filename and
> > continue their work.
> >
>
> You can achieve this without changing OpenSSL.
>
> Instead of relying on file based SSL functions you can instead rely on
> structure based ones using X509, EVP_PKEY et al.
>
> You'd load the structures outside the jail and keep them hanging
> around inside.
>
> Then when you need to reload you just pass the necessary structures.
>
>
There's no reliable way to pass these structures on a AF_UNIX socket
since I don't know their internals (without pulling in header files I'm
not supposed to) and there are other pointers in the X509 and related
structs.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
