diff options
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | acinclude.m4 | 1 | ||||
| -rw-r--r-- | modules/ssl/mod_ssl.c | 33 |
3 files changed, 29 insertions, 8 deletions
@@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. + [Graham Leggett] + *) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502. [Stefan Eissing] diff --git a/acinclude.m4 b/acinclude.m4 index 19af48a6e1..d57e7f7bb9 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -608,6 +608,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[ liberrors="" AC_CHECK_HEADERS([openssl/engine.h]) AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([OPENSSL_init_ssl]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd \ CRYPTO_set_id_callback]) if test "x$liberrors" != "x"; then diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 588de2ce92..b9e1ded137 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -24,6 +24,7 @@ * Apache API interface structures */ +#include "ap_config_auto.h" #include "ssl_private.h" #include "mod_ssl.h" #include "mod_ssl_openssl.h" @@ -334,9 +335,16 @@ static int modssl_is_prelinked(void) static apr_status_t ssl_cleanup_pre_config(void *data) { - /* - * Try to kill the internals of the SSL library. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all termination automatically. Do + * nothing in this case. + */ + +#else + /* Termination below is for legacy Openssl versions v1.0.x and + * older. */ + /* Corresponds to OBJ_create()s */ OBJ_cleanup(); /* Corresponds to OPENSSL_load_builtin_modules() */ @@ -376,12 +384,14 @@ static apr_status_t ssl_cleanup_pre_config(void *data) if (!modssl_running_statically) { CRYPTO_cleanup_all_ex_data(); } +#endif /* * TODO: determine somewhere we can safely shove out diagnostics * (when enabled) at this late stage in the game: * CRYPTO_mem_leaks_fp(stderr); */ + return APR_SUCCESS; } @@ -394,16 +404,22 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif modssl_running_statically = modssl_is_prelinked(); - /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. +#if HAVE_OPENSSL_INIT_SSL + /* Openssl v1.1+ handles all initialisation automatically, apart + * from hints as to how we want to use the library. + * + * We tell openssl we want to include engine support. */ + OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); + +#else + /* Configuration below is for legacy versions Openssl v1.0 and + * older. + */ + #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API ssl_util_thread_id_setup(pconf); #endif - - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) (void)CRYPTO_malloc_init(); #else @@ -417,6 +433,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif OpenSSL_add_all_algorithms(); OPENSSL_load_builtin_modules(); +#endif if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", |