From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 11 Mar 2022 13:08:05 +0000 (+0100)
Subject: libssl: Load only the ciphers and digests needed for TLS, not all of them
X-Git-Tag: auth-4.7.0-alpha1~68^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11166%2Fhead;p=thirdparty%2Fpdns.git

libssl: Load only the ciphers and digests needed for TLS, not all of them

OPENSSL_init_crypto(), added in 1.1.0, loads all available ciphers
and digests by default. Since we only need the TLS-related ones,
that only increases the startup time and the memory usage.

Before:
```
OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_add_all_ciphers: openssl_add_all_ciphers_int()
OPENSSL_INIT: ossl_init_add_all_digests: openssl_add_all_digests()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
```

After:
```
OPENSSL_INIT: ossl_init_base: Setting up stop handlers
OPENSSL_INIT: ossl_init_register_atexit()
OPENSSL_INIT: ossl_init_load_crypto_nodelete()
OPENSSL_INIT: openssl_config_int((null), (null), 50)
OPENSSL_INIT: ossl_init_engine_rdrand: engine_load_rdrand_int()
OPENSSL_INIT: ossl_init_thread_start: marking thread for err_state
OPENSSL_INIT: ossl_init_load_crypto_strings: err_load_crypto_strings_int()
OPENSSL_INIT: ossl_init_engine_dynamic: engine_load_dynamic_int()
OPENSSL_INIT: ossl_init_ssl_base: Adding SSL ciphers and digests
OPENSSL_INIT: ossl_init_ssl_base: SSL_COMP_get_compression_methods()
OPENSSL_INIT: ossl_init_ssl_base: SSL_add_ssl_module()
OPENSSL_INIT: ossl_init_load_ssl_strings: ERR_load_SSL_strings()
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
OPENSSL_INIT: ossl_init_thread_start: marking thread for rand
```
---

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index 4f4f4e20f0..1b7d476c4b 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -80,12 +80,17 @@ void registerOpenSSLUser()
   if (s_users.fetch_add(1) == 0) {
 #ifdef HAVE_OPENSSL_INIT_CRYPTO
     /* load the default configuration file (or one specified via OPENSSL_CONF),
-       which can then be used to load engines */
-    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, nullptr);
+       which can then be used to load engines.
+       Do not load all ciphers and digests, we only need a few of them and these
+       will be loaded by OPENSSL_init_ssl(). */
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG|OPENSSL_INIT_NO_ADD_ALL_CIPHERS|OPENSSL_INIT_NO_ADD_ALL_DIGESTS, nullptr);
+    OPENSSL_init_ssl(0, nullptr);
 #endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || (defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x2090100fL))
+    /* load error strings for both libcrypto and libssl */
     SSL_load_error_strings();
+    /* load all ciphers and digests needed for TLS support */
     OpenSSL_add_ssl_algorithms();
     openssl_thread_setup();
 #endif