Shouldn't no-pinshared be the default?

Yann Ylavic at
Mon Mar 4 23:37:53 UTC 2019


after quite some time trying to convert Apache httpd (and libapr) to
new the OPENSSL_init/cleanup() 1.1 API, and wondering why openssl libs
would not unload with mod_ssl as before (1.0 and earlier), I found the
ELF NODELETE flag (gcc's -znodelete) and the new (no-)pinshared config
option (though available in 1.1.1 only, not in 1.1.0 AFAICT).

Unfortunately pinshared openssl can't work with the way httpd
dlopen/close()s mod_ssl, which itself initializes and cleans up
openssl, at each restart. Once openssl is cleaned up, it won't
re-initialize due to internal static variables (and it worked so far
in httpd because all the legacy cleanup methods currently used, like
OBJ/EVP/ENGINE_cleanup, are all no-ops now).

IIUC from some previous threads on this list, the new way to cleanup
openssl is to not cleanup (explicitely), which causes issues with some
usages obviously (and is possibly why build time no-pinshared and run
time OPENSSL_INIT_NO_ATEXIT appeared in 1.1.1).

So my question is, why isn't no-pinshared the default?
ISTM that pinshared is enabled on linux only, and linux has
__cxa_atexit semantics for atexit() already, so dlclose() should
already call OPENSSL_cleanup() when needed.
Thus with OPENSSL_INIT_NO_ATEXIT now available the user could choose
at runtime whether (s)he wants to call OPENSSL_cleanup() explicitely
or let openssl clean up by itself.

Of course one can build his/her own openssl with no-pinshared, but I
suppose distros don't, so all software that need to unload openssl
need to build their own one... Another concern is that none of
no-pinshared and OPENSSL_INIT_NO_ATEXIT is available in 1.1.0.

Am I missing something?


More information about the openssl-users mailing list