OPENSSL_config vs OPENSSL_init_crypto

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OPENSSL_config vs OPENSSL_init_crypto

Samuel Williams
Hello,

I am trying to understand what is the correct initialization process for Ruby's SSL module. It's not my area so any input would be most welcome.


Thanks,
Samuel
Reply | Threaded
Open this post in threaded view
|

Re: OPENSSL_config vs OPENSSL_init_crypto

Matt Caswell-2


On 08/10/2019 00:20, Samuel Williams wrote:
> Hello,
>
> I am trying to understand what is the correct initialization process for Ruby's
> SSL module. It's not my area so any input would be most welcome.
>
> https://github.com/ruby/openssl/pull/267

Reading that PR it seems your objective is to ensure that the config file is
loaded before you do any libssl work.

How OpenSSL behaves depends on the version. Note that OpenSSL 1.1.0 is now out
of support, and OpenSSL 1.0.2 goes out of support at the end of this year.

From OpenSSL 1.1.0 and onwards OpenSSL auto-initialises so, in most cases, there
is no need to explicitly call initialisation functions such as
OPENSSL_init_crypto() or OPENSSL_init_ssl(). The only reason for applications to
ever call these functions directly is if you want some non-default
initialisation to occur. I notice that Ruby's SSL module is explicitly calling
OPENSSL_init_ssl() with 0 and NULL for arguments - which just gives you the
default initialisation. There seems little point in this - that will happen
automatically the first time you create an SSL_CTX.

From OpenSSL 1.1.1 onwards loading the config file is part of libssl's default
initialisation, i.e. as soon as you create an SSL_CTX OPENSSL_init_ssl() is
called automatically and the config file is loaded. Therefore there is no need
to take any specific action on this version of OpenSSL.

In OpenSSL 1.1.0 (which is now out of support), loading the config file was
*not* part of the default initialisation. You can force it to be loaded using
the OPENSSL_INIT_LOAD_CONFIG option to OPENSSL_init_ssl():

OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);

You *may* choose to do this unconditionally in both 1.1.0 and 1.1.1 if you wish.
In 1.1.1 it has no effect because that's the default anyway - but it does no harm.

OpenSSL 1.0.2 (out of support from the end of this year) does not automatically
initialise/de-initialise and OPENSSL_init_crypto() and OPENSSL_init_ssl() do not
even exist. Therefore you have to call initialisation functions explicitly.
Calling OPENSSL_config() there would seem reasonable.

Hope that helps,

Matt