Bug 65344

Summary: OpenSSL configuration
Product: Tomcat Native Reporter: Edin Hodzic <dino>
Component: LibraryAssignee: Tomcat Developers Mailing List <dev>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Edin Hodzic 2021-05-31 17:43:56 UTC
A potential improvement in the OpenSSL interaction might be to enable OpenSSL configuration:

In ssl.c, initialization is done with the call:
    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);

The openssl command in OpenSSL source performs initialization like this:
    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL);

The OPENSSL_INIT_LOAD_CONFIG makes the OpenSSL library load configuration (for example /etc/ssl/openssl.cnf by default on Ubuntu). The configuration could also be specified through a path in OPENSSL_CONF environment variable (that could be set in setenv.sh in Tomcat for full control over the OpenSSL configuration.)

The ability to configure OpenSSL is important. As an example, some crypto engines require the engine initialized by the client code (others don't). This can be expressed in the configuration. See NGINX forum related to this and see how the OpenSSL configuration is relied upon to initialize a crypto engine, without changing the client code:

https://forum.nginx.org/read.php?29,279575,279905

(A similar enhancement request was initially made as a comment on ticket #65181.)