On Tue, 2019-03-05 at 14:16 +0100, Yann Ylavic wrote:
> On Tue, Mar 5, 2019 at 12:51 PM Matt Caswell <matt@xxxxxxxxxxx>
> wrote:
> >
> > 2) The no-pinshared option does not appear in 1.1.1 or 1.1.1a. It
> > first appears
> > in 1.1.1b. Backporting the option was considered ok. But changing
> > the default
> > mid-series is probably not a good idea.
> >
> > Changing the default could be considered for 3.0.
>
> Yes please, as it stands the 1.1 series is unloadable on the most
> used
> openssl libraries, distros'. I find this a bit unfortunate, and more
> #ifdef-ery to come (though I'd like the OPENSSL_INIT_[NO_]UNLOAD one
> :) ).
But is it in reality at all possible to explicitly unload OpenSSL?
You're talking here about mod_ssl but what if the OpenSSL is loaded not
just by mod_ssl but by other shared library loaded into the httpd
process - for example libkrb5 or libldap. Then you can see what
disaster can happen if mod_ssl on unload explicitly calls
OpenSSL_cleanup().
The explicit cleanup is thus simply a no-go in distro-wide use of
OpenSSL.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
