Shutting down openssl - is the correct thing to do nothing?
I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and apr’s apr-crypto-openssl modules.
Am I right in understanding that from openssl v1.1.0 and upwards, all the following calls are no longer necessary, will be called automatically atexit by the openssl library, and these can be removed from the code?
Re: Shutting down openssl - is the correct thing to do nothing?
On 14/06/2019 09:17, Graham Leggett wrote:
> On 14 Jun 2019, at 09:41, Matt Caswell <[hidden email] > <mailto:[hidden email]>> wrote:
>> Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
>> # define EVP_cleanup() while(0) continue
>> There are one or two caveats around auto-init and auto-deinit of the library.
>> The documentation for it is here:
>> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html >
> Further to the above question, having read the documentation, it looks like all
> of these init routines should be removed in v1.1.0 and above:
Mostly, but not quite. The library will automatically initialise itself with no
requirement to explicitly do so. However there are certain things that don't
happen automatically because they're not necessarily appropriate for all
applications. See comments below:
These all happen automatically. There is no need to call them directly. They're
all macros for calling OPENSSL_init_crypto() explicitly with default
options...but since they are default options anyway there is no need to do this.
This does NOT happen automatically. It is a non-default option in
OPENSSL_init_crypto(). You can get the same effect by calling
OPENSSL_init_crypto with the OPENSSL_INIT_ENGINE_ALL_BUILTIN option explicitly. See:
No need to call this one. Its a macro for calling OPENSSL_init_crypto()
explicitly with default options - but this will happen anyway.
This does NOT happen automatically if you are just using libcrypto. This is used
for initialising config file modules. libcrypto does not automatically load a
config file. If you call OPENSSL_init_crypto() explicitly with the
OPENSSL_INIT_LOAD_CONFIG option then it will load the config file and end up
calling the above function automatically as part of that.
In 1.1.1 a config file is loaded automatically for libssl users. So if you're a
1.1.1 libssl user then you don't need to call this function. A config file is
not loaded automatically for libssl in 1.1.0.
It is expected that in OpenSSL 3.0 loading a config file will happen
automatically in both libcrypto and libssl.