Thanks for the comments, I summarize actionable items at the bottom as the conversation develops. I can push further commits, and do the final squash when it can be accepted.

  1. Preprocessor defines OPENSSL_NO_ENGINE - followed nginx and HAProxy where they use this to omit compile-time code that uses OpenSSL ENGINE_xxxx functions. Frankly I doubt any modern OpenSSL actually defines this. Same purpose as OPENSSL_NO_ECDH in existing tls.c.

    At runtime it might be difficult as the symbol won't be in the users libcrypto.so. If we include these symbols, then the users libcrypto.so is required to have engine support (even if they don't use it)

    Currently the runtime use is controlled by the proposed modparam engine, but ENGINE symbols are still UND in tls.so.

  2. whitespace - added to TODO list below: it was a code editor setting, my bad

  3. documentation - added to TODO list

Sample nginx code (because of ENGINE_* symbols). HAProxy has similar constructs:

#ifndef OPENSSL_NO_ENGINE
        u_char      *p, *last;
        ENGINE      *engine;
        EVP_PKEY    *pkey;
        p = key->data + sizeof("engine:") - 1;
        last = (u_char *) ngx_strchr(p, ':');
        if (last == NULL) {
            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                               "invalid syntax in \"%V\"", key);
            return NGX_ERROR;
        }
        *last = '\0';
        engine = ENGINE_by_id((char *) p);

TODO list:


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.