[PATCH] SSL: Add ENGINE_init() calls before using engines.

Anderson Sasaki ansasaki at redhat.com
Wed Apr 25 17:48:41 UTC 2018


Hello,

> Typically engines initialize themselves in bind(), if not, they are
> initialized by openssl.cnf ("default_algorithms"), why use "init = 0" in
> your openssl config and rely this openssl engine stuff to nginx?

Following the OpenSSL documentation, the application is responsible for initializing the engines.
Some engines, like the engine_pkcs11, rely on this and expects an explicit call to ENGINE_init().
The engines which initialize themselves, as far as I know, are actually doing a workaround to avoid the problem with non-compliant applications.

In the specific case of engine_pkcs11, setting the "init" and "default_algorithms" in openssl.cnf do not initialize the engine.

It would be interesting for nginx to follow the OpenSSL documentation and be compatible with more engines.
For the specific case of the engine_pkcs11, it is interesting to support it because it allows using PKCS#11 URIs transparently.
There were efforts in the past ([0], [1], [2]) to improve the support for PKCS#11 integration with nginx.

[0] http://mailman.nginx.org/pipermail/nginx-devel/2014-November/006188.html
[1] http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006786.html
[2] http://mailman.nginx.org/pipermail/nginx-devel/2015-June/007074.html

Best regards,
Anderson




More information about the nginx-devel mailing list