[openssl-users] Initialising OpenSSL more than once - how do we handle this?

Graham Leggett minfrin at sharp.fm
Mon Jul 30 12:26:32 UTC 2018


On 24 Jul 2018, at 18:06, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:

>> Or is it correct in v1.1.0 and above to just not initialise anything at all, not clean anything up at all, and expect openssl to “do the right thing” when mod_ssl is unloaded?
> 
> Yes.  And *especially* when the code that depends on OpenSSL is itself a library.
> OpenSSL is now (and should ideally always have been) self-initializing.

What should be behaviour be in openssl < 1.1.0?

The scenario is as follows:

- httpd runs.
- httpd dynamically loads mod_ssl, apr_crypto_openssl, libpq, libldap, etc.
- mod_ssl, apr_crypto_openssl, libpq, libldap, etc in turn dynamically load openssl.
- At some point a graceful shutdown is attempted and mod_ssl, apr_crypto_openssl, libpq, libldap, etc are unloaded.
- …what next?

How should mod_ssl, apr_crypto_openssl, libpq, libldap, etc handle the unloading of openssl < 1.1.0?

Should they run the openssl init functions but not the teardown functions? (And just accept a leak).

Should they suppress attempts to unload mod_ssl, apr_crypto_openssl, libpq, libldap, etc if we know for sure that openssl < 1.1.0 is linked to them?

Regards,
Graham
—



More information about the openssl-users mailing list