Shutting down openssl - is the correct thing to do nothing?

Matt Caswell matt at openssl.org
Fri Jun 14 09:12:19 UTC 2019



On 14/06/2019 09:17, Graham Leggett wrote:
> On 14 Jun 2019, at 09:41, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
> 
>> Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
>>
>> #  define EVP_cleanup() while(0) continue
>>
>> There are one or two caveats around auto-init and auto-deinit of the library.
>> The documentation for it is here:
>>
>> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
> 
> Further to the above question, having read the documentation, it looks like all
> of these init routines should be removed in v1.1.0 and above:

Mostly, but not quite. The library will automatically initialise itself with no
requirement to explicitly do so. However there are certain things that don't
happen automatically because they're not necessarily appropriate for all
applications. See comments below:

> 
> https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l398
> 
> CRYPTO_malloc_init();

This function doesn't exist at all in 1.1.0+.

> OPENSSL_malloc_init();

This is a no-op in 1.1.0+

> ERR_load_crypto_strings();
> SSL_load_error_strings();
> SSL_library_init();

These all happen automatically. There is no need to call them directly. They're
all macros for calling OPENSSL_init_crypto() explicitly with default
options...but since they are default options anyway there is no need to do this.

> ENGINE_load_builtin_engines();

This does NOT happen automatically. It is a non-default option in
OPENSSL_init_crypto(). You can get the same effect by calling
OPENSSL_init_crypto with the OPENSSL_INIT_ENGINE_ALL_BUILTIN option explicitly. See:

https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html

> OpenSSL_add_all_algorithms();

No need to call this one. Its a macro for calling OPENSSL_init_crypto()
explicitly with default options - but this will happen anyway.

> OPENSSL_load_builtin_modules();

This does NOT happen automatically if you are just using libcrypto. This is used
for initialising config file modules. libcrypto does not automatically load a
config file. If you call OPENSSL_init_crypto() explicitly with the
OPENSSL_INIT_LOAD_CONFIG option then it will load the config file and end up
calling the above function automatically as part of that.

In 1.1.1 a config file is loaded automatically for libssl users. So if you're a
1.1.1 libssl user then you don't need to call this function. A config file is
not loaded automatically for libssl in 1.1.0.

It is expected that in OpenSSL 3.0 loading a config file will happen
automatically in both libcrypto and libssl.

> 
> https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l133
> 
> CRYPTO_malloc_init();
> OPENSSL_malloc_init();
> ERR_load_crypto_strings();
> OpenSSL_add_all_algorithms();
> ENGINE_load_builtin_engines();

As above.

> ENGINE_register_all_complete();

This is the same as for ENGINE_load_builtin_engines(). It does NOT happen
automatically, but will get called if you use the
OPENSSL_INIT_ENGINE_ALL_BUILTIN option to OPENSSL_init_crypto.


Matt
> 
> Can you confirm I’ve interpreted this correctly?
> 
> Regards,
> Graham
>> 


More information about the openssl-users mailing list