[PATCH] SSL: Set engine passed in ssl_certificate_key as default
Maxim Dounin
mdounin at mdounin.ru
Thu May 3 14:46:03 UTC 2018
Hello!
On Mon, Apr 30, 2018 at 06:05:56AM -0400, Anderson Sasaki wrote:
> Hello,
>
> Following there are two patches, one adding the call to set the engine as default for all methods and the other restricting the engine to be the default only for PKEY methods.
> For me makes sense to have the engine as default only for PKEY methods.
>
> Best Regards,
> Anderson
>
> # HG changeset patch
> # User Anderson Toshiyuki Sasaki <ansasaki at redhat.com>
> # Date 1525082320 -7200
> # Mon Apr 30 11:58:40 2018 +0200
> # Node ID 07278e8f9b731a7b78b62c6f1826f71967d31fd7
> # Parent 46c0c7ef4913011f3f1e073f9ac880b07b1a8154
> SSL: Set engine passed in ssl_certificate_key as default
> Set the engine as the default OpenSSL engine.
>
> diff -r 46c0c7ef4913 -r 07278e8f9b73 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Apr 25 14:57:24 2018 +0300
> +++ b/src/event/ngx_event_openssl.c Mon Apr 30 11:58:40 2018 +0200
> @@ -527,6 +527,14 @@
> return NGX_ERROR;
> }
>
> + if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "ENGINE_set_default(engine, ENGINE_METHOD_ALL) "
> + "failed");
> + ENGINE_free(engine);
> + return NGX_ERROR;
> + }
> +
> *last++ = ':';
>
> pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
There should be no need to set default engine for anything when
loading private keys. Private keys as loaded from an engine are
expected to work regardless of whether the engine is configured as
a default one or not.
If you think this change is needed for some reason, please
elaborate why it is needed.
[...]
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list