From: Yann Ylavic Date: Fri, 21 Feb 2020 00:06:05 +0000 (+0000) Subject: Merge r1861950 from trunk: X-Git-Tag: 2.4.42~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e7c049b8eb58f28233aec05c355be9b66470cad;p=thirdparty%2Fapache%2Fhttpd.git Merge r1861950 from trunk: mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862 Submitted by: minfrin Reviewed by: minfrin, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874281 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6014b1513a9..a8cf17250f0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 + *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. + [Graham Leggett] + *) mod_ssl: Support use of private keys and certificates from an OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile. [Anderson Sasaki , Joe Orton] diff --git a/acinclude.m4 b/acinclude.m4 index 6b38ca841dd..97635f1ba5d 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -582,6 +582,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ liberrors="" AC_CHECK_HEADERS([openssl/engine.h]) AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([OPENSSL_init_ssl]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) if test "x$liberrors" != "x"; then AC_MSG_WARN([OpenSSL libraries are unusable]) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index dc5130648cd..f8d2ddd97c9 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -24,6 +24,7 @@ * Apache API interface structures */ +#include "ap_config_auto.h" #include "ssl_private.h" #include "mod_ssl.h" #include "mod_ssl_openssl.h" @@ -328,9 +329,16 @@ static int modssl_is_prelinked(void) static apr_status_t ssl_cleanup_pre_config(void *data) { - /* - * Try to kill the internals of the SSL library. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all termination automatically. Do + * nothing in this case. + */ + +#else + /* Termination below is for legacy Openssl versions v1.0.x and + * older. */ + /* Corresponds to OBJ_create()s */ OBJ_cleanup(); /* Corresponds to OPENSSL_load_builtin_modules() */ @@ -370,12 +378,14 @@ static apr_status_t ssl_cleanup_pre_config(void *data) if (!modssl_running_statically) { CRYPTO_cleanup_all_ex_data(); } +#endif /* * TODO: determine somewhere we can safely shove out diagnostics * (when enabled) at this late stage in the game: * CRYPTO_mem_leaks_fp(stderr); */ + return APR_SUCCESS; } @@ -385,16 +395,22 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, { modssl_running_statically = modssl_is_prelinked(); - /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all initialisation automatically, apart + * from hints as to how we want to use the library. + * + * We tell openssl we want to include engine support. */ + OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); + +#else + /* Configuration below is for legacy versions Openssl v1.0 and + * older. + */ + #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API ssl_util_thread_id_setup(pconf); #endif - - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) (void)CRYPTO_malloc_init(); #else @@ -408,6 +424,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif OpenSSL_add_all_algorithms(); OPENSSL_load_builtin_modules(); +#endif if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",