You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2020/02/21 00:06:06 UTC

svn commit: r1874281 - in /httpd/httpd/branches/2.4.x: ./ CHANGES acinclude.m4 modules/ssl/mod_ssl.c

Author: ylavic
Date: Fri Feb 21 00:06:05 2020
New Revision: 1874281

URL: http://svn.apache.org/viewvc?rev=1874281&view=rev
Log:
Merge r1861950 from trunk:

mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/acinclude.m4
    httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1861950

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Feb 21 00:06:05 2020
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.42
 
+  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
+     [Graham Leggett]
+
   *) mod_ssl: Support use of private keys and certificates from an
      OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
      [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

Modified: httpd/httpd/branches/2.4.x/acinclude.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/acinclude.m4?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/acinclude.m4 (original)
+++ httpd/httpd/branches/2.4.x/acinclude.m4 Fri Feb 21 00:06:05 2020
@@ -582,6 +582,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
       liberrors=""
       AC_CHECK_HEADERS([openssl/engine.h])
       AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
+      AC_CHECK_FUNCS([OPENSSL_init_ssl])
       AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
       if test "x$liberrors" != "x"; then
         AC_MSG_WARN([OpenSSL libraries are unusable])

Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Fri Feb 21 00:06:05 2020
@@ -24,6 +24,7 @@
  *  Apache API interface structures
  */
 
+#include "ap_config_auto.h"
 #include "ssl_private.h"
 #include "mod_ssl.h"
 #include "mod_ssl_openssl.h"
@@ -328,9 +329,16 @@ static int modssl_is_prelinked(void)
 
 static apr_status_t ssl_cleanup_pre_config(void *data)
 {
-    /*
-     * Try to kill the internals of the SSL library.
+#if HAVE_OPENSSL_INIT_SSL
+    /* Openssl v1.1+ handles all termination automatically. Do
+     * nothing in this case.
+     */
+
+#else
+    /* Termination below is for legacy Openssl versions v1.0.x and
+     * older.
      */
+
     /* Corresponds to OBJ_create()s */
     OBJ_cleanup();
     /* Corresponds to OPENSSL_load_builtin_modules() */
@@ -370,12 +378,14 @@ static apr_status_t ssl_cleanup_pre_conf
     if (!modssl_running_statically) {
         CRYPTO_cleanup_all_ex_data();
     }
+#endif
 
     /*
      * TODO: determine somewhere we can safely shove out diagnostics
      *       (when enabled) at this late stage in the game:
      * CRYPTO_mem_leaks_fp(stderr);
      */
+
     return APR_SUCCESS;
 }
 
@@ -385,16 +395,22 @@ static int ssl_hook_pre_config(apr_pool_
 {
     modssl_running_statically = modssl_is_prelinked();
 
-    /* Some OpenSSL internals are allocated per-thread, make sure they
-     * are associated to the/our same thread-id until cleaned up.
+#if HAVE_OPENSSL_INIT_SSL
+    /* Openssl v1.1+ handles all initialisation automatically, apart
+     * from hints as to how we want to use the library.
+     *
+     * We tell openssl we want to include engine support.
      */
+    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
+
+#else
+    /* Configuration below is for legacy versions Openssl v1.0 and
+     * older.
+     */
+
 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
     ssl_util_thread_id_setup(pconf);
 #endif
-
-    /* We must register the library in full, to ensure our configuration
-     * code can successfully test the SSL environment.
-     */
 #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
     (void)CRYPTO_malloc_init();
 #else
@@ -408,6 +424,7 @@ static int ssl_hook_pre_config(apr_pool_
 #endif
     OpenSSL_add_all_algorithms();
     OPENSSL_load_builtin_modules();
+#endif
 
     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",