Hello,

> The patch looks correct to me. Though it causes a segmentation
> faults within pkcs11 engine when using such loaded keys at least
> on Ubuntu 18.04 (OpenSSL 1.1.0g, pkcs11 engine from libp11 0.4.7).
> Segmentation faults can be reproduced with the test you've sent
> earlier.
>
> Using an explitic "init = 1" in openssl.conf resolves this, as
> well as commenting out ENGINE_finish(), so it looks like it cannot
> handle ENGINE_finish() while certificates loaded from the engine
> are still in use.
>
> Possible options might be:
>
> - avoid any changes, and require "init = 1" as we effectively do
> now;
>
> - add explicit lists of engines initialized, and call
> ENGINE_finish() once no longer needed (probably somewhere in
> ngx_ssl_cleanup_ctx());
>
> - avoid calling ENGINE_finish() with appropriate explanation of
> the problem;
>
> - dig further into what goes on in OpenSSL / pkcs11 engine, and
> fix things (might be already resolved in [1]).
>
> [1]
> https://github.com/OpenSC/libp11/commit/da725ab727342083478150a203a3c80c4551feb4

The root of the problem is solved in the patch you pointed out above. The libp11-0.4.7 release is missing this EVP_PKEY_set1_engine() call. Without this, the engine is not properly associated with the EVP_PKEY object, preventing the OpenSSL automatic re-initialization of the engine to take place when the key is used.

With the inclusion of such patch, the ENGINE_finish() can be safely called. As long as the key keeps the structural reference to the engine, it will be re-initialized when needed.

I've tested in Fedora, where the same problem occurs. Since I am currently a co-maintainer of the engine in Fedora, I can fix it there. But I can't fix it on Ubuntu.

Best Regards,
Anderson
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel