[sr-dev] [kamailio/kamailio] tls: add support for OpenSSL engine and private keys in HSM (#1484)
aalba6675
notifications at github.com
Tue Mar 20 02:41:51 CET 2018
Thanks for the comments, I summarize actionable items at the bottom as the conversation develops. I can push further commits, and do the final squash when it can be accepted.
1. Preprocessor defines `OPENSSL_NO_ENGINE` - followed nginx and HAProxy where they use this to omit compile-time code that uses OpenSSL `ENGINE_xxxx` functions. Frankly I doubt any modern OpenSSL actually defines this. Same purpose as `OPENSSL_NO_ECDH` in existing `tls.c`.
At runtime it might be difficult as the symbol won't be in the users `libcrypto.so`. If we include these symbols, then the users `libcrypto.so` is required to have engine support (even if they don't use it)
Currently the runtime use is controlled by the proposed modparam `engine`, but ENGINE symbols are still UND in `tls.so`.
1. whitespace - added to TODO list below: it was a code editor setting, my bad
1. documentation - added to TODO list
Sample nginx code (because of `ENGINE_*` symbols). HAProxy has similar constructs:
```
#ifndef OPENSSL_NO_ENGINE
u_char *p, *last;
ENGINE *engine;
EVP_PKEY *pkey;
p = key->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
if (last == NULL) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid syntax in \"%V\"", key);
return NGX_ERROR;
}
*last = '\0';
engine = ENGINE_by_id((char *) p);
```
TODO list:
* revert code editor gratuitous whitespace changes
* documentation updates for new configuration directives
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/1484#issuecomment-374443429
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20180319/970f35dd/attachment.html>
More information about the sr-dev
mailing list