[PATCH] SSL: Add ENGINE_init() calls before using engines.
ansasaki at redhat.com
Wed Apr 25 17:48:41 UTC 2018
> Typically engines initialize themselves in bind(), if not, they are
> initialized by openssl.cnf ("default_algorithms"), why use "init = 0" in
> your openssl config and rely this openssl engine stuff to nginx?
Following the OpenSSL documentation, the application is responsible for initializing the engines.
Some engines, like the engine_pkcs11, rely on this and expects an explicit call to ENGINE_init().
The engines which initialize themselves, as far as I know, are actually doing a workaround to avoid the problem with non-compliant applications.
In the specific case of engine_pkcs11, setting the "init" and "default_algorithms" in openssl.cnf do not initialize the engine.
It would be interesting for nginx to follow the OpenSSL documentation and be compatible with more engines.
For the specific case of the engine_pkcs11, it is interesting to support it because it allows using PKCS#11 URIs transparently.
There were efforts in the past (, , ) to improve the support for PKCS#11 integration with nginx.
More information about the nginx-devel