Bug 65344 - OpenSSL configuration
Summary: OpenSSL configuration
Status: NEW
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: unspecified
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-31 17:43 UTC by Edin Hodzic
Modified: 2021-05-31 17:43 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Edin Hodzic 2021-05-31 17:43:56 UTC
A potential improvement in the OpenSSL interaction might be to enable OpenSSL configuration:

In ssl.c, initialization is done with the call:
    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);

The openssl command in OpenSSL source performs initialization like this:
    OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL);

The OPENSSL_INIT_LOAD_CONFIG makes the OpenSSL library load configuration (for example /etc/ssl/openssl.cnf by default on Ubuntu). The configuration could also be specified through a path in OPENSSL_CONF environment variable (that could be set in setenv.sh in Tomcat for full control over the OpenSSL configuration.)

The ability to configure OpenSSL is important. As an example, some crypto engines require the engine initialized by the client code (others don't). This can be expressed in the configuration. See NGINX forum related to this and see how the OpenSSL configuration is relied upon to initialize a crypto engine, without changing the client code:

https://forum.nginx.org/read.php?29,279575,279905

(A similar enhancement request was initially made as a comment on ticket #65181.)