mod_ssl and openssl 1.0.2 initialization
Something fishy reported in https://bz.apache.org/bugzilla/show_bug.cgi?id=62552
Which points to a problem with CRYPTO_THREADID and crypto locks and initialization oder in OpenSSL 1.0.2. (I believe OpenSSL 1.1.x eleminated that).
During the analysis of the bug, there seem to be 3 modules in play that use openssl: mod_ssl, mod_md and mod_authn_dbd (mysql). Depending on configuration and load order the server works or crashes. Generally, the rule seems to be:
- without mod_authn_dbd (and directive for mysql driver), all is well
- with it, crash in mod_md md_crypto_init (which calls RAND_status(), which crashes)
- *unless* mod_ssl is loaded before the others.
This seems a bit nasty. Does someone of our mod_ssl experts agree to this analysis and that crypto locking is the issue?
If so, what can we do about it?