The patch looks correct to me. Though it causes a segmentation faults within pkcs11 engine when using such loaded keys at least on Ubuntu 18.04 (OpenSSL 1.1.0g, pkcs11 engine from libp11 0.4.7). Segmentation faults can be reproduced with the test you've sent earlier.
Using an explitic "init = 1" in openssl.conf resolves this, as well as commenting out ENGINE_finish(), so it looks like it cannot handle ENGINE_finish() while certificates loaded from the engine are still in use.
Possible options might be:
avoid any changes, and require "init = 1" as we effectively do now;
add explicit lists of engines initialized, and call ENGINE_finish() once no longer needed (probably somewhere in ngx_ssl_cleanup_ctx());
avoid calling ENGINE_finish() with appropriate explanation of the problem;
dig further into what goes on in OpenSSL / pkcs11 engine, and fix things (might be already resolved in ).
The root of the problem is solved in the patch you pointed out above. The libp11-0.4.7 release is missing this EVP_PKEY_set1_engine() call. Without this, the engine is not properly associated with the EVP_PKEY object, preventing the OpenSSL automatic re-initialization of the engine to take place when the key is used.
With the inclusion of such patch, the ENGINE_finish() can be safely called. As long as the key keeps the structural reference to the engine, it will be re-initialized when needed.
I've tested in Fedora, where the same problem occurs. Since I am currently a co-maintainer of the engine in Fedora, I can fix it there. But I can't fix it on Ubuntu.
Best Regards, Anderson