[openssl-users] Initialising OpenSSL more than once - how do we handle this?

Graham Leggett minfrin at sharp.fm
Tue Jul 24 11:40:22 UTC 2018


On 24 Jul 2018, at 12:15, Graham Leggett <minfrin at sharp.fm> wrote:

> Over at httpd we’re struggling with crashes and instability caused by attempts by various independent libraries we link to, all of which in turn link to openssl, initialising openssl multiple times. In turn these separate libraries might de-initialise openssl on shutdown expecting a re-initiailise to work and hilarity ensues.
> 
> What is the correct way to handle openssl initialisation when multiple independent libraries are all trying to initialise openssl independently of one another?
> 
> Is there reference counting of some kind?
> 
> Could instability be caused by not matching the correct teardown function calls with the correct setup function calls?

Focusing a little closer on openssl v1.1.0 we get the following, but this also seems broken at first glance.

https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html

"Once OPENSSL_cleanup() has been called the library cannot be reinitialised”.

In our case, httpd will load mod_ssl (and in APR apr_crypto_openssl) which is in turn linked to openssl, and during a restart the module (and therefore the link to openssl I believe) will be unloaded, and thus OPENSSL_cleanup() will fail when httpd finally exits and calls atexit.

Am I interpreting the above correctly?

Or is it correct in v1.1.0 and above to just not initialise anything at all, not clean anything up at all, and expect openssl to “do the right thing” when mod_ssl is unloaded?

Regards,
Graham
—



More information about the openssl-users mailing list