cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] ssl: fix engine refs in duphandle/openssl.cnf support

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 25 Apr 2013 12:55:54 +0200 (CEST)

On Tue, 23 Apr 2013, Jerry Qassar wrote:

> easy: Increment engine reference in curl_easy_duphandle
>
> When external programs (such as git) try to set the SSL engine, they set the
> engine in the default handle but subsequently (if using multi) obtain a
> duplicate handle to do the actual work.
>
> curl_easy_duphandle did not do anything with state.engine if set; make it do
> so by getting the engine ID of the source handle and incrementing the
> reference count with another curl_ssl_set_engine call.
>
> To my limited knowledge this is the 'proper' way to handle additional
> handles needing a non-default engine. Please advise if otherwise; handling
> of the default engine flag across handles is not attempted.

I'm not aware of anyone usually hanging around here that is an expert on this
subject so your ideas here are just as good as us others'. If the
documentation and testing say this works, then it seems like a good idea.

But I would like to ask you to make a full patch and send it separately from
the config file load patch, since they are actually independent.

> ssluse: Add Petr Pisar's patch to read OpenSSL conf file
>
> In 2010 Petr Pisar supplied a patch to allow curl to parse OpenSSL
> configuration files (either default or env-specified), enabling the use of
> dynamic engines such as those used for smartcard support. Original
> discussion of the patch terminated here:

First, the discussion was paused there
(http://curl.haxx.se/mail/archive-2010-03/0037.html) since nobody responded to
Yang's fine comments as far as I can see. I think they still deserve getting
addressed. For example, don't we risk hurting existing users/applications by
suddenly doing this by default, or the other way: do we need a way to allow
applications to switch this ability off?

Secondly, the loading of config files for OpenSSL seems to be required for
proper ENGINE use, but is somewhat problematic and we already have an open bug
report about it that hasn't been resolved yet:
http://sourceforge.net/p/curl/bugs/1208/

Related to the second point, docs/INTERNALS says we maintain compatibility
with OpenSSL 0.9.6. We either do that and thus make sure we use later
functions (as as these config file loading ones) conditionally, or we update
the document...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-25