[PATCH] Add ENGINE_init/finish directives around ENGINE_load_private_key.

Maxim Dounin mdounin at mdounin.ru
Tue Dec 7 21:49:37 UTC 2021


On Tue, Dec 07, 2021 at 03:01:40PM -0500, Bradley Hess wrote:

> Hello Maxim,
> Ah, well that explains why a patch like this has never been upstreamed,
> even though it exists in a bunch of places on teh interwebz.  Sorry,
> I didn't do enough archeology here.
> I didn't realize the `init = 1` workaround existed, so thanks for the
> pointer there.  However, it would be ideal if users could use OpenSSL's
> dynamic engine loading, and avoid authoring an OpenSSL config file.
> From the description in the issue you linked, it looks like the patch was
> removed for OpenSSL 1.0.x compatibility.  Would you accept a patch that
> supplies the init/finish directives only if the OpenSSL version >= 1.1.0?
> At this point many distros have OpenSSL 1.1 and a fixed PKCS #11 engine;
> for example, the patch I submitted worked smoothly with OpenSSL 1.1 and the
> PKCS #11 engine available on Debian 11, and without any engine config.

As outlined in the message I linked, at least Ubuntu 18.04 ships 
OpenSSL 1.1.x but an old pkcs11 engine, so the patch will result 
in segfaults even if restricted to OpenSSL 1.1.x.  As far as I 
understand, that's still the case.

Note well that engines are deprecated in OpenSSL 3.0.

Maxim Dounin

More information about the nginx-devel mailing list