cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom OpenSSL crypto engine not known to cURL

From: Yang Tse <yangsita_at_gmail.com>
Date: Fri, 12 Mar 2010 10:53:44 +0100

2010/3/11, Daniel Stenberg wrote:

> On Wed, 10 Mar 2010, Yang Tse wrote:
>
>
> > I'm not sure everyone using an OpenSSL enabled libcurl, either static or
> dynamic version, would want to allow any user, or script, capable of setting
> OPENSSL_CONF environment variable to modify application behavior beyond
> developers or distributors control.
> >
>
> I agree with that in general, but in this particular case: what's the worst
> bad thing a user could do if it was given this ability without the app's
> consent?

I really don't know. But a little investigation in the OpenSSL source
code reveals that my concern related with some systems being probably
'surprised' with the new capability has vanished.

If some individual or organization wishes to forbid 'configuration'
capability to the apps using OpenSSL they will simply build OpenSSL
without that capability. So it really won't matter what the user sets
in OPENSSL_CONF environment variable or openssl.cnf file.

So I suppose it is Ok to let libcurl attempt OpenSSL configuration
without needing any new flag for curl_global_init() in all cases. As
long as the code survives non-configurable built OpenSSL libraries.

For the rest of the engine stuff I don't have any experience. So It
will be better if I just step aside and let others work.

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-03-12