[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_ssl and openssl 1.0.2 initialization

On Wed, Jul 18, 2018 at 3:14 PM, Stefan Eissing
<stefan.eissing@xxxxxxxxxxxxx> wrote:
> Something fishy reported in
> https://bz.apache.org/bugzilla/show_bug.cgi?id=62552
> Which points to a problem with CRYPTO_THREADID and crypto locks and
> initialization oder in OpenSSL 1.0.2. (I believe OpenSSL 1.1.x
> eleminated that).
> During the analysis of the bug, there seem to be 3 modules in play
> that use openssl: mod_ssl, mod_md and mod_authn_dbd (mysql).
> Depending on configuration and load order the server works or
> crashes.

Yes, I agree that we have an issue with openssl (< 1.1)
loading/unloading/initialization for different modules: core, mod_ssl,
mod_md, mod_crypto (via APR), mod_authn_dbd (I wasn't aware of this
one using openssl), ... (others?) may all use openssl and in arbitrary
order depending on the configuration.

> Generally, the rule seems to be:
> - without mod_authn_dbd (and directive for mysql driver), all is
> well - with it, crash in mod_md md_crypto_init (which calls
> RAND_status(), which crashes) - *unless* mod_ssl is loaded before the
> others.
> This seems a bit nasty. Does someone of our mod_ssl experts agree to
> this analysis and that crypto locking is the issue?
> If so, what can we do about it?

I started to try to centralize openssl setup in APR (r1833421, but I'm
being cautious here because it kind of has been reverted lately...).
What do you think of an 'apr_crypto_lib_init("openssl", ..., pool)'
call from any module, where all the init/cleanup would be done once
for all with the lifetime of the given pool (pconf, or pglobal if the
core itself uses openssl).
It does not include threads' locking for now, but this could be added
based on existing httpd code.

Unfortunately in any case this will require APR-1.7 (at best), so in
the meantime we might want an httpd only solution, like optional
I wonder which module would provide them though, mod_ssl looks quite
straightforward but then it would be a requirement for, e.g.
mod_authn_dbd? This does not look right either...
Or maybe there could be a way to autoload a mod_openssl (functional
only) module?