On 14/06/2019 00:42, Graham Leggett wrote:
> Hi all,
>
> I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and
> apr’s apr-crypto-openssl modules.
>
> Am I right in understanding that from openssl v1.1.0 and upwards, all the
> following calls are no longer necessary, will be called automatically atexit
> by the openssl library, and these can be removed from the code?
>
> https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l329
>
> FIPS_mode_set(0);
> OBJ_cleanup();
> CONF_modules_free();
> EVP_cleanup();
> ENGINE_cleanup();
> SSL_COMP_free_compression_methods();
> ERR_remove_thread_state(NULL);
> ERR_remove_state(0);
> ERR_free_strings();
> CRYPTO_cleanup_all_ex_data();
>
> https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l114
>
> ERR_free_strings();
> EVP_cleanup();
> ENGINE_cleanup();
>
Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
# define EVP_cleanup() while(0) continue
There are one or two caveats around auto-init and auto-deinit of the library.
The documentation for it is here:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
Matt
