Tomas Mraz <tmraz@xxxxxxxxxx> skrev: (5 mars 2019 14:47:18 CET) >On Tue, 2019-03-05 at 14:16 +0100, Yann Ylavic wrote: >> On Tue, Mar 5, 2019 at 12:51 PM Matt Caswell <matt@xxxxxxxxxxx> >> wrote: >> > >> > 2) The no-pinshared option does not appear in 1.1.1 or 1.1.1a. It >> > first appears >> > in 1.1.1b. Backporting the option was considered ok. But changing >> > the default >> > mid-series is probably not a good idea. >> > >> > Changing the default could be considered for 3.0. >> >> Yes please, as it stands the 1.1 series is unloadable on the most >> used >> openssl libraries, distros'. I find this a bit unfortunate, and more >> #ifdef-ery to come (though I'd like the OPENSSL_INIT_[NO_]UNLOAD one >> :) ). > >But is it in reality at all possible to explicitly unload OpenSSL? >You're talking here about mod_ssl but what if the OpenSSL is loaded not >just by mod_ssl but by other shared library loaded into the httpd >process - for example libkrb5 or libldap. Then you can see what >disaster can happen if mod_ssl on unload explicitly calls >OpenSSL_cleanup(). > >The explicit cleanup is thus simply a no-go in distro-wide use of >OpenSSL. It sounds like an allocatable library context that could be used to store all the "global" stuff would be a good thing. Incidently, we've introduced that concept for 3.0.0. Exactly what will end up in it is not decided, apart from the new provider related stuff. Cheers Richard -- Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.
