From: Graham Leggett Date: Sun, 23 Jun 2019 21:55:48 +0000 (+0000) Subject: mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. X-Git-Tag: 2.5.0-alpha2-ci-test-only~2009 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e3277b05b196909aa7d53c3bd59686eb042e432;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1861950 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 154ef99b5dd..c603a7b006b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. + [Graham Leggett] + *) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502. [Stefan Eissing] diff --git a/acinclude.m4 b/acinclude.m4 index 19af48a6e11..d57e7f7bb9d 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -608,6 +608,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ liberrors="" AC_CHECK_HEADERS([openssl/engine.h]) AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([OPENSSL_init_ssl]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd \ CRYPTO_set_id_callback]) if test "x$liberrors" != "x"; then diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 588de2ce92f..b9e1ded137e 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -24,6 +24,7 @@ * Apache API interface structures */ +#include "ap_config_auto.h" #include "ssl_private.h" #include "mod_ssl.h" #include "mod_ssl_openssl.h" @@ -334,9 +335,16 @@ static int modssl_is_prelinked(void) static apr_status_t ssl_cleanup_pre_config(void *data) { - /* - * Try to kill the internals of the SSL library. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all termination automatically. Do + * nothing in this case. + */ + +#else + /* Termination below is for legacy Openssl versions v1.0.x and + * older. */ + /* Corresponds to OBJ_create()s */ OBJ_cleanup(); /* Corresponds to OPENSSL_load_builtin_modules() */ @@ -376,12 +384,14 @@ static apr_status_t ssl_cleanup_pre_config(void *data) if (!modssl_running_statically) { CRYPTO_cleanup_all_ex_data(); } +#endif /* * TODO: determine somewhere we can safely shove out diagnostics * (when enabled) at this late stage in the game: * CRYPTO_mem_leaks_fp(stderr); */ + return APR_SUCCESS; } @@ -394,16 +404,22 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif modssl_running_statically = modssl_is_prelinked(); - /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all initialisation automatically, apart + * from hints as to how we want to use the library. + * + * We tell openssl we want to include engine support. */ + OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); + +#else + /* Configuration below is for legacy versions Openssl v1.0 and + * older. + */ + #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API ssl_util_thread_id_setup(pconf); #endif - - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) (void)CRYPTO_malloc_init(); #else @@ -417,6 +433,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif OpenSSL_add_all_algorithms(); OPENSSL_load_builtin_modules(); +#endif if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",