Skip Menu |
 
Ticket metadata
The Basics
Id: 1212
Status: resolved
Worked: 20 min
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Richard Levitte
Requestors:
Cc:
AdminCc:

New reminder:
Subject:
Owner:
Due:

Dates
Created: Thu Oct 06 11:55:07 2005
Starts: Not set
Started: Thu Oct 27 19:18:24 2005
Last Contact: Not set
Due: Not set
Closed: Sat Jul 26 21:28:16 2014
Updated: Sat Jul 26 21:28:16 2014 by Rich Salz



Subject: chil engine no longer works with static locks in 0.9.8
Download (untitled) / with headers
text/plain 648b
Hi,

I notice that the chil engine in 0.9.8 has had the hack which allows it to work with static
locks removed.

This stops our engine working with the openssl application (as it registers a lock debugging
callback) and Apache 2.x (and other apps too no doubt)

I appologise for not spotting this earlier, our previous openssl developers have left the
company so we missed the final release testing.

Would it be possible to put the hack back in for the next release? or is there something else
that we could do instead to allow our engine to work with static locks? It seems that the
dynamic locks are rarely used.

Thanks

-john
Download (untitled) / with headers
text/plain 1.5k
[guest - Thu Oct 6 11:55:10 2005]:

Show quoted text
> I notice that the chil engine in 0.9.8 has had the hack which allows
> it to work with static locks removed.

That is correct. The reason is exactly what you said; it's a hack, and
it was *meant* to be temporary, to allow for a smooth move from the 0.9.
6 engine architecture (where that hack originated) to the proper way
(dynamic locks, which were first implemented in 0.9.7).

We can't keep creating static hacks for things that may or may not be
in OpenSSL for various reasons, and engines are such objects.

Show quoted text
> This stops our engine working with the openssl application (as it
> registers a lock debugging callback) and Apache 2.x (and other apps
> too no doubt)

That's because those applications don't set up callbacks for the
dynamic locks. The correct thing to do is to talk with the application
authors and tell them that there are new requirements to make engines
work.

Show quoted text
> Would it be possible to put the hack back in for the next release?

I think that would be a bad idea, generally speaking.

Show quoted text
> or is there something else that we could do instead to allow our
> engine to work with static locks? It seems that the dynamic locks
> are rarely used.

Yes, it's true, they are rarely use... currently. However, I really
would encourage people to use them more, as they are a bit more
flexible than the static locks. Ideally, OpenSSL should probably move
to dynamic locks entirely, which would make maintainance quite a bit
easier.

--
Richard Levitte
levitte@openssl.org
Date: Thu, 03 Nov 2005 12:37:55 +0100 (CET)
To: rt@openssl.org
Subject: [openssl.org #1212] chil engine no longer works with static locks in 0.9.8
From: Richard Levitte - VMS Whacker <richard@levitte.org>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.8k
[Originally sent by John, all I'm doing is forwarding it to our ticket
database to make sure it gets included. -- Richard Levitte]
[And I did it wrong the first time. Appologies for the dupliactes]

Hi Richard,

Thanks for taking a look at this.

Show quoted text
> [guest - Thu Oct  6 11:55:10 2005]:
>
> >   This stops our engine working with the openssl application (as it
> > registers a lock debugging callback) and Apache 2.x (and other apps
> > too no doubt)
>
> That's because those applications don't set up callbacks for the
> dynamic locks.  The correct thing to do is to talk with the
> application
> authors and tell them that there are new requirements to make engines
> work.

Unfortunately we do not have relationships with all of the
application developers for the applications that our customers use, so
this is not possible. We shall certainly apply pressure in this
direction where we can.

On that note, is there a plan to update the apps/openssl application
to not use the static lock callback for lock debugging?

Show quoted text
> > or is there something else that we could do instead to allow our
> > engine to work with static locks?  It seems that the dynamic locks
> > are rarely used.
>
> Yes, it's true, they are rarely use...  currently.  However, I really
> would encourage people to use them more, as they are a bit more
> flexible than the static locks.  Ideally, OpenSSL should probably move
> to dynamic locks entirely, which would make maintainance quite a bit
> easier.

The dynamic locks are clearly a much better solution and removing
them from openssl will force all applications to move , which would be
a good thing in the long run. Is there a plan to do this for any
specific future release?

Why is it that the static locks have not been removed completely for
0.9.8? If it is to keep some backward compatibility with older apps,
or ones that see no reason to change, would it not be preferable if
the whole of openssl was compatible in this way, including the engines?
It seems a bit unfair on the end users who need hardware support for
openssl to keep the interface, so the apps don't realise that they need
to change, but to remove the engine support from these apps.

I appreciate that the hack for our static lock was not pleasant, but
it is no less pleasant than all the other static locks. Are you sure
we can't persuade you to put it back in until all static locks are
removed?

By the way, do you have an nCipher HSM for interop testing?

Thanks again

-john

--
John Hartley
nCipher Ltd http://www.ncipher.com

Show quoted text
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
Date: Thu, 03 Nov 2005 12:30:29 +0100 (CET)
To: rt@openssl.org
Subject: Re: [openssl.org #1212] chil engine no longer works with static locks in 0.9.8
From: john <openssl-dev@ncipher.com>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.6k
Hi Richard,

Thanks for taking a look at this.

Show quoted text
> [guest - Thu Oct  6 11:55:10 2005]:
>
> >   This stops our engine working with the openssl application (as it
> > registers a lock debugging callback) and Apache 2.x (and other apps
> > too no doubt)
>
> That's because those applications don't set up callbacks for the
> dynamic locks.  The correct thing to do is to talk with the
> application
> authors and tell them that there are new requirements to make engines
> work.

Unfortunately we do not have relationships with all of the
application developers for the applications that our customers use, so
this is not possible. We shall certainly apply pressure in this
direction where we can.

On that note, is there a plan to update the apps/openssl application
to not use the static lock callback for lock debugging?

Show quoted text
> > or is there something else that we could do instead to allow our
> > engine to work with static locks?  It seems that the dynamic locks
> > are rarely used.
>
> Yes, it's true, they are rarely use...  currently.  However, I really
> would encourage people to use them more, as they are a bit more
> flexible than the static locks.  Ideally, OpenSSL should probably move
> to dynamic locks entirely, which would make maintainance quite a bit
> easier.

The dynamic locks are clearly a much better solution and removing
them from openssl will force all applications to move , which would be
a good thing in the long run. Is there a plan to do this for any
specific future release?

Why is it that the static locks have not been removed completely for
0.9.8? If it is to keep some backward compatibility with older apps,
or ones that see no reason to change, would it not be preferable if
the whole of openssl was compatible in this way, including the engines?
It seems a bit unfair on the end users who need hardware support for
openssl to keep the interface, so the apps don't realise that they need
to change, but to remove the engine support from these apps.

I appreciate that the hack for our static lock was not pleasant, but
it is no less pleasant than all the other static locks. Are you sure
we can't persuade you to put it back in until all static locks are
removed?

By the way, do you have an nCipher HSM for interop testing?

Thanks again

-john

--
John Hartley
nCipher Ltd http://www.ncipher.com

Show quoted text
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
If this is still an issue with the current release(s), please open a new ticket.