Hello, > The patch looks correct to me. Though it causes a segmentation > faults within pkcs11 engine when using such loaded keys at least > on Ubuntu 18.04 (OpenSSL 1.1.0g, pkcs11 engine from libp11 0.4.7). > Segmentation faults can be reproduced with the test you've sent > earlier. > > Using an explitic "init = 1" in openssl.conf resolves this, as > well as commenting out ENGINE_finish(), so it looks like it cannot > handle ENGINE_finish() while certificates loaded from the engine > are still in use. > > Possible options might be: > > - avoid any changes, and require "init = 1" as we effectively do > now; > > - add explicit lists of engines initialized, and call > ENGINE_finish() once no longer needed (probably somewhere in > ngx_ssl_cleanup_ctx()); > > - avoid calling ENGINE_finish() with appropriate explanation of > the problem; > > - dig further into what goes on in OpenSSL / pkcs11 engine, and > fix things (might be already resolved in [1]). > > [1] > https://github.com/OpenSC/libp11/commit/da725ab727342083478150a203a3c80c4551feb4
The root of the problem is solved in the patch you pointed out above. The libp11-0.4.7 release is missing this EVP_PKEY_set1_engine() call. Without this, the engine is not properly associated with the EVP_PKEY object, preventing the OpenSSL automatic re-initialization of the engine to take place when the key is used. With the inclusion of such patch, the ENGINE_finish() can be safely called. As long as the key keeps the structural reference to the engine, it will be re-initialized when needed. I've tested in Fedora, where the same problem occurs. Since I am currently a co-maintainer of the engine in Fedora, I can fix it there. But I can't fix it on Ubuntu. Best Regards, Anderson _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel