SSL engine support bug


#1

Hi

I believe I found a bug in the order of initialization of OpenSSL. The
RSA
keys are initialized (RSA_new called) in
SSL_CTX_use_certificate_chain_file
which is called from ngx_ssl_certificate which in turn is called from
ngx_conf_parse at src/core/ngx_conf_file.c:237. The ssl_engine is
however
parsed in ngx_openssl_init_conf which is called later. Therefore the
created
RSA keys in SSL contexts use the built-in RSA_METHOD and not the one
provided by loaded engine.
I don’t have enough knowledge of nginx so I can’t propose solution but
the
obvious thing would be to change the order of parsing of those
directives
(either load the engine earlier or load the SSL certificate and key
later).

Best regards


#2

On Thu, Feb 12, 2009 at 04:03:16PM +0100, Marcin Gozdalik wrote:

I believe I found a bug in the order of initialization of OpenSSL. The RSA
keys are initialized (RSA_new called) in SSL_CTX_use_certificate_chain_file
which is called from ngx_ssl_certificate which in turn is called from
ngx_conf_parse at src/core/ngx_conf_file.c:237. The ssl_engine is however
parsed in ngx_openssl_init_conf which is called later. Therefore the created
RSA keys in SSL contexts use the built-in RSA_METHOD and not the one
provided by loaded engine.
I don’t have enough knowledge of nginx so I can’t propose solution but the
obvious thing would be to change the order of parsing of those directives
(either load the engine earlier or load the SSL certificate and key later).

Try the attached patch.


#3

2009/2/12 Igor S. removed_email_address@domain.invalid

On Thu, Feb 12, 2009 at 04:03:16PM +0100, Marcin Gozdalik wrote:

I believe I found a bug in the order of initialization of OpenSSL. The
RSA
[snip]

Try the attached patch.

Works great - now the ENGINE is loaded before certificates. Thanks a
lot.