Shutting down openssl - is the correct thing to do nothing?
Matt Caswell
matt at openssl.org
Fri Jun 14 07:41:49 UTC 2019
On 14/06/2019 00:42, Graham Leggett wrote:
> Hi all,
>
> I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and apr’s apr-crypto-openssl modules.
>
> Am I right in understanding that from openssl v1.1.0 and upwards, all the following calls are no longer necessary, will be called automatically atexit by the openssl library, and these can be removed from the code?
>
> https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l329
>
> FIPS_mode_set(0);
> OBJ_cleanup();
> CONF_modules_free();
> EVP_cleanup();
> ENGINE_cleanup();
> SSL_COMP_free_compression_methods();
> ERR_remove_thread_state(NULL);
> ERR_remove_state(0);
> ERR_free_strings();
> CRYPTO_cleanup_all_ex_data();
>
> https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l114
>
> ERR_free_strings();
> EVP_cleanup();
> ENGINE_cleanup();
>
Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
# define EVP_cleanup() while(0) continue
There are one or two caveats around auto-init and auto-deinit of the library.
The documentation for it is here:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
Matt
More information about the openssl-users
mailing list