On Fri, Dec 19, 2008 at 12:32:48AM +0100, Dr. Stephen Henson wrote:
> > The OPENSSL_config() function is designed to be a very simple "call
> > it
> > and forget it" function. As a result its behaviour is somewhat lim-
> > ited. It ignores all errors silently and it can only load from the
> > standard configuration file location for example.
> >
> > Was the documentation wrong all along, or does FIPS force a change in
> > the documented semantics of existing APIs?
> >
>
> The documentation is incomplete. Some errors such as a missing configuration
> file are ignored.
>
> An error when running a configuration module will cause the application to
> exit. This can be caused by a malformed configuration file or an error which
> occurs when an API call is made. An example of that would be a failed
> FIPS_mode_set().
If OPENSSL_config() calls exit() on error, Postfix must not use
OPENSSL_config(). Is the CONF_modules_load_file() interface safe in this
respect (will return errors, not exit)?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
