(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)
If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.
As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
use NSS crypto if no other crypto avail, but NSS crypto is available
"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due to NSS libraries (freebl3) lacking public export for HMAC funcs
Prefer some WolfSSL native APIs when building with WolfSSL.
However, some functionality in WolfSSL is available only through the
WolfSSL compatibility layer for OpenSSL, so the effort to create a
native mod_wolfssl halted here.
defer li_rand_init() until first use of li_rand_pseudo_bytes()
li_rand_init() is now deferred until first use so that installations
that do not use modules which use these routines do need to potentially
block at startup. Current use by core lighttpd modules is in mod_auth
HTTP Digest auth and in mod_usertrack. Deferring collection of random
data until first use may allow sufficient entropy to be collected by
kernel before first use, helping reduce or avoid situations in
low-entropy-generating embedded devices which might otherwise block
lighttpd for minutes at device startup. Further discussion in