On Fri, Dec 19, 2008 at 01:54:47AM +0100, Dr. Stephen Henson wrote:
> > If OPENSSL_config() calls exit() on error, Postfix must not use
> > OPENSSL_config(). Is the CONF_modules_load_file() interface safe in this
> > respect (will return errors, not exit)?
>
> OPENSSL_config() has that behaviour because it has no idea what the
> application considers appropriate under those circumstances. Generally that
> wont happen unless something bad(tm) has happened.
>
> CONF_modules_load_file() just returns error codes and will never exit an
> application. Indeed OPENSSL_config() calls that, see crypto/conf/conf_sap.c
Thanks, reading that and related code I find:
void OPENSSL_add_all_algorithms_conf(void)
{
OPENSSL_add_all_algorithms_noconf();
OPENSSL_config(NULL);
}
so it seems that the right calling sequence for advanced applications is:
OPENSSL_no_config();
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
if (CONF_modules_load_file(...) <= 0) {
/* Handle configuration errors */
}
Is this is still the right order with FIPS in the picture?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
