Merge r1861950 from trunk:

mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874281 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6014b1513a9f90d09e37d83b69a99aaa31ebb545..a8cf17250f041fcd584aa4880b4da3bda6b70a2e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.42
 
+  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
+     [Graham Leggett]
+
   *) mod_ssl: Support use of private keys and certificates from an
      OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
      [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

diff --git a/acinclude.m4 b/acinclude.m4
index 6b38ca841ddd55db7435123b40451d4f67adb7f6..97635f1ba5d33b09264f443d7eb4d37356c29048 100644 (file)
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -582,6 +582,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
       liberrors=""
       AC_CHECK_HEADERS([openssl/engine.h])
       AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
+      AC_CHECK_FUNCS([OPENSSL_init_ssl])
       AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
       if test "x$liberrors" != "x"; then
         AC_MSG_WARN([OpenSSL libraries are unusable])

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index dc5130648cd2766f5422d6aeef446aa775325ef0..f8d2ddd97c92cc03162f996f082d36e5e816f8dc 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -24,6 +24,7 @@
  *  Apache API interface structures
  */
 
+#include "ap_config_auto.h"
 #include "ssl_private.h"
 #include "mod_ssl.h"
 #include "mod_ssl_openssl.h"
@@ -328,9 +329,16 @@ static int modssl_is_prelinked(void)
 
 static apr_status_t ssl_cleanup_pre_config(void *data)
 {
-    /*
-     * Try to kill the internals of the SSL library.
+#if HAVE_OPENSSL_INIT_SSL
+    /* Openssl v1.1+ handles all termination automatically. Do
+     * nothing in this case.
+     */
+
+#else
+    /* Termination below is for legacy Openssl versions v1.0.x and
+     * older.
      */
+
     /* Corresponds to OBJ_create()s */
     OBJ_cleanup();
     /* Corresponds to OPENSSL_load_builtin_modules() */
@@ -370,12 +378,14 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
     if (!modssl_running_statically) {
         CRYPTO_cleanup_all_ex_data();
     }
+#endif
 
     /*
      * TODO: determine somewhere we can safely shove out diagnostics
      *       (when enabled) at this late stage in the game:
      * CRYPTO_mem_leaks_fp(stderr);
      */
+
     return APR_SUCCESS;
 }
 
@@ -385,16 +395,22 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
 {
     modssl_running_statically = modssl_is_prelinked();
 
-    /* Some OpenSSL internals are allocated per-thread, make sure they
-     * are associated to the/our same thread-id until cleaned up.
+#if HAVE_OPENSSL_INIT_SSL
+    /* Openssl v1.1+ handles all initialisation automatically, apart
+     * from hints as to how we want to use the library.
+     *
+     * We tell openssl we want to include engine support.
      */
+    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
+
+#else
+    /* Configuration below is for legacy versions Openssl v1.0 and
+     * older.
+     */
+
 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
     ssl_util_thread_id_setup(pconf);
 #endif
-
-    /* We must register the library in full, to ensure our configuration
-     * code can successfully test the SSL environment.
-     */
 #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
     (void)CRYPTO_malloc_init();
 #else
@@ -408,6 +424,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
 #endif
     OpenSSL_add_all_algorithms();
     OPENSSL_load_builtin_modules();
+#endif
 
     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",