You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2020/02/21 00:06:06 UTC
svn commit: r1874281 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
acinclude.m4 modules/ssl/mod_ssl.c
Author: ylavic
Date: Fri Feb 21 00:06:05 2020
New Revision: 1874281
URL: http://svn.apache.org/viewvc?rev=1874281&view=rev
Log:
Merge r1861950 from trunk:
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862
Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/acinclude.m4
httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1861950
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Feb 21 00:06:05 2020
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.42
+ *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
+ [Graham Leggett]
+
*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
Modified: httpd/httpd/branches/2.4.x/acinclude.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/acinclude.m4?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/acinclude.m4 (original)
+++ httpd/httpd/branches/2.4.x/acinclude.m4 Fri Feb 21 00:06:05 2020
@@ -582,6 +582,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
liberrors=""
AC_CHECK_HEADERS([openssl/engine.h])
AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
+ AC_CHECK_FUNCS([OPENSSL_init_ssl])
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
if test "x$liberrors" != "x"; then
AC_MSG_WARN([OpenSSL libraries are unusable])
Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1874281&r1=1874280&r2=1874281&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Fri Feb 21 00:06:05 2020
@@ -24,6 +24,7 @@
* Apache API interface structures
*/
+#include "ap_config_auto.h"
#include "ssl_private.h"
#include "mod_ssl.h"
#include "mod_ssl_openssl.h"
@@ -328,9 +329,16 @@ static int modssl_is_prelinked(void)
static apr_status_t ssl_cleanup_pre_config(void *data)
{
- /*
- * Try to kill the internals of the SSL library.
+#if HAVE_OPENSSL_INIT_SSL
+ /* Openssl v1.1+ handles all termination automatically. Do
+ * nothing in this case.
+ */
+
+#else
+ /* Termination below is for legacy Openssl versions v1.0.x and
+ * older.
*/
+
/* Corresponds to OBJ_create()s */
OBJ_cleanup();
/* Corresponds to OPENSSL_load_builtin_modules() */
@@ -370,12 +378,14 @@ static apr_status_t ssl_cleanup_pre_conf
if (!modssl_running_statically) {
CRYPTO_cleanup_all_ex_data();
}
+#endif
/*
* TODO: determine somewhere we can safely shove out diagnostics
* (when enabled) at this late stage in the game:
* CRYPTO_mem_leaks_fp(stderr);
*/
+
return APR_SUCCESS;
}
@@ -385,16 +395,22 @@ static int ssl_hook_pre_config(apr_pool_
{
modssl_running_statically = modssl_is_prelinked();
- /* Some OpenSSL internals are allocated per-thread, make sure they
- * are associated to the/our same thread-id until cleaned up.
+#if HAVE_OPENSSL_INIT_SSL
+ /* Openssl v1.1+ handles all initialisation automatically, apart
+ * from hints as to how we want to use the library.
+ *
+ * We tell openssl we want to include engine support.
*/
+ OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
+
+#else
+ /* Configuration below is for legacy versions Openssl v1.0 and
+ * older.
+ */
+
#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
ssl_util_thread_id_setup(pconf);
#endif
-
- /* We must register the library in full, to ensure our configuration
- * code can successfully test the SSL environment.
- */
#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
(void)CRYPTO_malloc_init();
#else
@@ -408,6 +424,7 @@ static int ssl_hook_pre_config(apr_pool_
#endif
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();
+#endif
if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
(void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",