Greetings! We have found an inconsistent behaviour of the openssl engine command. The problem appeared in version 1.0.1d in case openssl is built with --enable-shared.
1. When the config file does not mention the gost engine, the command “openssl engine” does not mention gost among the loaded engines. If we invoke “openssl engine gost”, it provides the necessary information about the engine. Everything is ok. 2. If we provide the describing gost engine section in the config file ============= openssl_conf = openssl_def [ openssl_def ] engines = engines_section [ engines_section ] gost = gost_section [ gost_section ] engine_id = gost default_algorithms = ALL ============== “openssl engine gost” reports an error: ============= GOST engine already loaded 140403073971872:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521: 140403073971872:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost ============== It seems understandable because the gost engine should be loaded processing the config file, and the provided command tries to load the engine twice, and the second load is prohibited. But the command “openssl engine” still does not mention the gost engine among the loaded engines. Such a behaviour seems to be a bug. 3. If we provide the “dynamic_path” directive AFTER the “default_algorithms” one, (dynamic_path = path_to_openssl_dir/lib/engines/libgost.so) then either “openssl engine gost” or “openssl engine” without extra parameters cause an error: =============== GOST engine already loaded Error configuring OpenSSL 140167406061216:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521: 140167406061216:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=gost_section, name=dynamic_path, value=/path/to/lib/engines/libgost.so 140167406061216:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engines_section, retcode=-1 ================ This result differs from the behaviour of the 1.01c version. In the 1.0.1c version the error did not occur. 4. If we provide the “dynamic_path” directive BEFORE the “default_algorithms” one, (dynamic_path = path_to_openssl_dir/lib/engines/libgost.so) then “openssl engine” without extra parameters enlist the gost engine as loaded and the either “openssl engine gost” provides the information about the gost engine. We suppose that this inconsistency can cause a more serious problems. For example, we know that apache 2.2 gets a segfault using the gost engine with openssl 1.0.1e (it did not happen with earlier versions), though we did not investigate it yet. Thank you! -- SY, Dmitry Belyavsky
