From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 12 Mar 2024 11:03:07 +0000 (+0100)
Subject: MEDIUM: ssl: initialize the SSL stack explicitely
X-Git-Tag: v3.0-dev6~105
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e9e4a8f501191044bf37341b6b5df68219e9e1c;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: initialize the SSL stack explicitely

In issue #2448, users are complaining that FIPS is not working correctly
since the removal of SSL_library_init().

This was removed because SSL_library_init() is deprecated with OpenSSL
3.x and emits a warning. But the initialization was not needed anymore
because it is done at the first openssl API call.

However it some cases it is needed. SSL_library_init() is now a define
to OPENSSL_init_ssl(0, NULL). This patch adds OPENSSL_init_ssl(0, NULL)
to the init.

This could be backported in every stable branches, however let's wait
before backporting it.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 307f18945a..bd2031c738 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7490,6 +7490,8 @@ static void __ssl_sock_init(void)
 	xprt_register(XPRT_SSL, &ssl_sock);
 #if HA_OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_library_init();
+#elif HA_OPENSSL_VERSION_NUMBER >= 0x10100000L
+	OPENSSL_init_ssl(0, NULL);
 #endif
 #if (!defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION))
 	cm = SSL_COMP_get_compression_methods();