Hello!

On Tue, Dec 07, 2021 at 03:01:40PM -0500, Bradley Hess wrote:

> Hello Maxim,
>
> Ah, well that explains why a patch like this has never been upstreamed,
> even though it exists in a bunch of places on teh interwebz. Sorry,
> I didn't do enough archeology here.
>
> I didn't realize the `init = 1` workaround existed, so thanks for the
> pointer there. However, it would be ideal if users could use OpenSSL's
> dynamic engine loading, and avoid authoring an OpenSSL config file.
>
> From the description in the issue you linked, it looks like the patch was
> removed for OpenSSL 1.0.x compatibility. Would you accept a patch that
> supplies the init/finish directives only if the OpenSSL version >= 1.1.0?
>
> At this point many distros have OpenSSL 1.1 and a fixed PKCS #11 engine;
> for example, the patch I submitted worked smoothly with OpenSSL 1.1 and the
> PKCS #11 engine available on Debian 11, and without any engine config.

As outlined in the message I linked, at least Ubuntu 18.04 ships
OpenSSL 1.1.x but an old pkcs11 engine, so the patch will result
in segfaults even if restricted to OpenSSL 1.1.x. As far as I
understand, that's still the case.

Note well that engines are deprecated in OpenSSL 3.0.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel