openssl: OPENSSL_init_ssl fails in RUN_ONCE and ossl_init_config

After upgrade to openssl 1.1.1 we got an issue that all the SSL stuff failed to work.

OPENSSL_init_ssl returned failure due to failure in OPENSSL_init_crypto before. OPENSSL_init_crypto calls this block:

    if (opts & OPENSSL_INIT_LOAD_CONFIG) {
        int ret;
        CRYPTO_THREAD_write_lock(init_lock);
        appname = (settings == NULL) ? NULL : settings->appname;
        ret = RUN_ONCE(&config, ossl_init_config);
        CRYPTO_THREAD_unlock(init_lock);
        if (!ret)
            return 0;
    }

and that needs to be commented out of us to make it work again. It looks like that with multiple invocations of OPENSSL_init_crypto in our code and used libraries, the second invocation fails and returns the error here. Not sure why, but now everything works again as it did with older OpenSSL version so far.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 18 (11 by maintainers)

Commits related to this issue

src/signature: use OPENSSL_config() instead of OPENSSL_no_config() This will now load OpenSSL configuration from openssl.cnf default section 'openssl_conf'. This might be useful, anyway, but the mai... — committed to ejoerns/rauc by ejoerns 6 years ago
src/signature: use OPENSSL_config() instead of OPENSSL_no_config() This will now load OpenSSL configuration from openssl.cnf default section 'openssl_conf'. This might be useful, anyway, but the mai... — committed to ejoerns/rauc by ejoerns 6 years ago
return OpenSSL 1.1.1a and applied patch More info: - https://github.com/openssl/openssl/issues/7350 - https://github.com/openssl/openssl/commit/f725fe5b4b6504df08e30f5194d321c3025e2336 Without this... — committed to DeckerSU/komodo by DeckerSU 5 years ago
src/signature: use OPENSSL_config() instead of OPENSSL_no_config() This will now load OpenSSL configuration from openssl.cnf default section 'openssl_conf'. This might be useful, anyway, but the mai... — committed to leiflm/rauc by ejoerns 6 years ago
SSL: avoid using OpenSSL config in build directory (ticket #2404). With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx is asked to build OpenSSL itself. And with this macro autom... — committed to nginx/nginx by mdounin a year ago
SSL: avoid using OpenSSL config in build directory (ticket #2404). With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx is asked to build OpenSSL itself. And with this macro autom... — committed to webserver-llc/angie by mdounin a year ago
SSL: avoid using OpenSSL config in build directory (ticket #2404). With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx is asked to build OpenSSL itself. And with this macro autom... — committed to grumpylabs/freenginx by mdounin a year ago

Most upvoted comments

We tend to do a release every 3-4 months (unless a security issue causes us to do one earlier) …so “soon”.

mattcaswell on Feb 14, 2019

The problem is that ossl_init_config and ossl_init_no_config share the RUN_ONCE control argument. This means that if ossl_init_no_config was call once, then ossl_init_config will never be called.

The return value for RUN_ONCE is a static variable derived from the function name and initialized with ‘0’. In the failing case, this value is never changed, because the function is never called.

Several other option pairs have the same problem.

michaelolbrich on Nov 1, 2018