[PATCH] Add ENGINE_init/finish directives around ENGINE_load_private_key.
mdounin at mdounin.ru
Tue Dec 7 21:49:37 UTC 2021
On Tue, Dec 07, 2021 at 03:01:40PM -0500, Bradley Hess wrote:
> Hello Maxim,
> Ah, well that explains why a patch like this has never been upstreamed,
> even though it exists in a bunch of places on teh interwebz. Sorry,
> I didn't do enough archeology here.
> I didn't realize the `init = 1` workaround existed, so thanks for the
> pointer there. However, it would be ideal if users could use OpenSSL's
> dynamic engine loading, and avoid authoring an OpenSSL config file.
> From the description in the issue you linked, it looks like the patch was
> removed for OpenSSL 1.0.x compatibility. Would you accept a patch that
> supplies the init/finish directives only if the OpenSSL version >= 1.1.0?
> At this point many distros have OpenSSL 1.1 and a fixed PKCS #11 engine;
> for example, the patch I submitted worked smoothly with OpenSSL 1.1 and the
> PKCS #11 engine available on Debian 11, and without any engine config.
As outlined in the message I linked, at least Ubuntu 18.04 ships
OpenSSL 1.1.x but an old pkcs11 engine, so the patch will result
in segfaults even if restricted to OpenSSL 1.1.x. As far as I
understand, that's still the case.
Note well that engines are deprecated in OpenSSL 3.0.
More information about the nginx-devel