[PATCH] SSL: Add ENGINE_init() calls before using engines.
ansasaki at redhat.com
Fri May 18 08:36:53 UTC 2018
> The patch looks correct to me. Though it causes a segmentation
> faults within pkcs11 engine when using such loaded keys at least
> on Ubuntu 18.04 (OpenSSL 1.1.0g, pkcs11 engine from libp11 0.4.7).
> Segmentation faults can be reproduced with the test you've sent
> Using an explitic "init = 1" in openssl.conf resolves this, as
> well as commenting out ENGINE_finish(), so it looks like it cannot
> handle ENGINE_finish() while certificates loaded from the engine
> are still in use.
> Possible options might be:
> - avoid any changes, and require "init = 1" as we effectively do
> - add explicit lists of engines initialized, and call
> ENGINE_finish() once no longer needed (probably somewhere in
> - avoid calling ENGINE_finish() with appropriate explanation of
> the problem;
> - dig further into what goes on in OpenSSL / pkcs11 engine, and
> fix things (might be already resolved in ).
The root of the problem is solved in the patch you pointed out above. The libp11-0.4.7 release is missing this EVP_PKEY_set1_engine() call. Without this, the engine is not properly associated with the EVP_PKEY object, preventing the OpenSSL automatic re-initialization of the engine to take place when the key is used.
With the inclusion of such patch, the ENGINE_finish() can be safely called. As long as the key keeps the structural reference to the engine, it will be re-initialized when needed.
I've tested in Fedora, where the same problem occurs. Since I am currently a co-maintainer of the engine in Fedora, I can fix it there. But I can't fix it on Ubuntu.
More information about the nginx-devel