|
From: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> on behalf of Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
Sent: Wednesday, March 5, 2025 10:48 AM To: openssl-users@xxxxxxxxxxx Subject: Re: Configuring to fail when a provider doesn't load !-------------------------------------------------------------------|
This Message Is From an External Sender This message came from outside your organization. |-------------------------------------------------------------------! On Wed, Mar 05, 2025 at 01:10:32PM -0500, Neil Horman wrote: > I'm not aware of any explicitly failure capability if a provider fails to > load from the configuration file. I think the expected process here would > be to call OPENSSL_init_crypto from your application, to drive the > configuration parsing and loading of any referenced providers, followed by > a call to OSSL_PROVIDER_available(). failure on the latter call would mean > that the named provider in the available call wasn't loaded, despite being > referenced in your config. It need not be that involved. As an important safety precaution, to avoid system-wide outages, when there's a problem with the config file by default applications keep going. Applications that peform explicit initialisation can choose to require a working configuration. https://urldefense.com/v3/__https://github.com/vdukhovni/postfix/blob/73ef04f1921f45430da269f88c1424e9d01ba8db/postfix/src/tls/tls_misc.c*L764-L823__;Iw!!GjvTz_vk!QABH46wWTHggJT_RTAdly-tL8_qSou3sq_aT8IGl_KbLwVjqbgzkfryeKiebvykot9lwXIEE6gQzk1WkSMuG7Ag2$ When calling OPENSSL_init_ssl(3) explicitly, one can specify whether configuration file processing errors are skipped or result in library initialisation errors. Failure to load a provider should I expect be handled like any other initialisation error. -- Viktor. -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://urldefense.com/v3/__https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Z8ice9In4dC9Ap2b*40chardros.imrryr.org__;JQ!!GjvTz_vk!QABH46wWTHggJT_RTAdly-tL8_qSou3sq_aT8IGl_KbLwVjqbgzkfryeKiebvykot9lwXIEE6gQzk1WkSOSArUvV$ . You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/cb818ef811904595b46ce29c1b76075a%40akamai.com. |
