From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001 From: Quentin Armitage Date: Tue, 12 Mar 2019 14:58:38 +0000 Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1 OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new() if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously been called. This commit doesn't call OPENSSL_init_crypto() if doing so causes SSL_CTX_new() to fail. Signed-off-by: Quentin Armitage --- configure.ac | 30 ++++++++++++++++++++++++++++++ keepalived/check/check_ssl.c | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/configure.ac b/configure.ac index 89399ca3..504b9b92 100644 --- a/configure.ac +++ b/configure.ac @@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto]) # TLS_method() introduced OpenSSL v1.1.0 AC_CHECK_FUNCS([TLS_method]) +# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with +# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b. +AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes], + [ + AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[#include ]], + [[ + const SSL_METHOD *meth; + SSL_CTX *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) + return 1; + + /* Initialize SSL context */ + meth = TLS_method(); + if (!(ctx = SSL_CTX_new(meth))) + return 1; + return 0; + ]])], + [openssl_init_no_load_bug=0], + [openssl_init_no_load_bug=1], + [ + AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.]) + openssl_init_no_load_bug=1 + ] + ) + AS_IF([test $openssl_init_no_load_bug -eq 1], + [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])]) + ]) unset LIBS if test $BUILD_GENHASH = No; then diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c index 6bf6a005..2743ea87 100644 --- a/keepalived/check/check_ssl.c +++ b/keepalived/check/check_ssl.c @@ -69,8 +69,14 @@ build_ssl_ctx(void) /* Library initialization */ #if HAVE_OPENSSL_INIT_CRYPTO +#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG + /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails. + * It works in v1.1.0h and v1.1.1b. + * It transpires that it works without setting NO_LOAD_CONFIG, but it is + * presumably more efficient not to load it. */ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) log_message(LOG_INFO, "OPENSSL_init_crypto failed"); +#endif #else SSL_library_init(); SSL_load_error_strings(); -- 2.20.1