[PATCH] SSL: Add ENGINE_init() calls before using engines.

Anderson Sasaki ansasaki at redhat.com
Fri May 18 08:36:53 UTC 2018

> The patch looks correct to me.  Though it causes a segmentation
> faults within pkcs11 engine when using such loaded keys at least
> on Ubuntu 18.04 (OpenSSL 1.1.0g, pkcs11 engine from libp11 0.4.7).
> Segmentation faults can be reproduced with the test you've sent
> earlier.
> Using an explitic "init = 1" in openssl.conf resolves this, as
> well as commenting out ENGINE_finish(), so it looks like it cannot
> handle ENGINE_finish() while certificates loaded from the engine
> are still in use.
> Possible options might be:
> - avoid any changes, and require "init = 1" as we effectively do
>   now;
> - add explicit lists of engines initialized, and call
>   ENGINE_finish() once no longer needed (probably somewhere in
>   ngx_ssl_cleanup_ctx());
> - avoid calling ENGINE_finish() with appropriate explanation of
>   the problem;
> - dig further into what goes on in OpenSSL / pkcs11 engine, and
>   fix things (might be already resolved in [1]).
> [1]
> https://github.com/OpenSC/libp11/commit/da725ab727342083478150a203a3c80c4551feb4

The root of the problem is solved in the patch you pointed out above. The libp11-0.4.7 release is missing this EVP_PKEY_set1_engine() call. Without this, the engine is not properly associated with the EVP_PKEY object, preventing the OpenSSL automatic re-initialization of the engine to take place when the key is used.

With the inclusion of such patch, the ENGINE_finish() can be safely called. As long as the key keeps the structural reference to the engine, it will be re-initialized when needed.

I've tested in Fedora, where the same problem occurs. Since I am currently a co-maintainer of the engine in Fedora, I can fix it there. But I can't fix it on Ubuntu.

Best Regards,

More information about the nginx-devel mailing list