Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Twice initialization openssl #6254

Closed
unreturned opened this issue Nov 27, 2020 · 2 comments
Closed

Twice initialization openssl #6254

unreturned opened this issue Nov 27, 2020 · 2 comments
Labels
TLS

Comments

@unreturned
Copy link

I did this

Full steps to reproduce problem:

  1. Build GOST engine for openssl 1.1.1
$ mkdir /tmp/testgostengine/
$ git clone -b openssl_1_1_1 --single-branch https://github.com/gost-engine/engine /tmp/testgostengine/
$ mkdir /tmp/testgostengine/build/; cd /tmp/testgostengine/build/
$ cmake --configure .
$ cmake --build . --config Release
  1. Write minimal config
$ cat /tmp/testgostengine/example.conf | sed 's|dynamic_path = ./bin/gost.so|dynamic_path = /tmp/testgostengine/bin/gost.so|g' > /tmp/testgostengine/openssl.conf
  1. Use it to connect to test host
$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure --head https://tlsgost-2001.cryptopro.ru/

Output of command

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
GOST engine already loaded
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

And in this output we have some problem like GOST engine already loaded. Is it problem with twice initialization openssl in curl? For example, if I don't use curl and do fetch by only php and openssl like this, I haven't this error:

Test php script:

$ cat << 'EOF' > /tmp/testgostengine/test.php
<?php

$mySSLContext = array(
    "ssl" => array(
        "verify_peer" => false,
        "verify_peer_name" => false,
    ),
);

print_r(file_get_contents("https://tlsgost-2001.cryptopro.ru/", false, stream_context_create($mySSLContext)));
EOF

Output:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf php /tmp/testgostengine/test.php
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

No error GOST engine already loaded.

I expected the following

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

curl/libcurl version

$ curl -V
curl 7.73.0 (x86_64-pc-linux-gnu) libcurl/7.73.0 OpenSSL/1.1.1h zlib/1.2.11 zstd/1.4.5 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2020-10-14
Protocols: dict file ftp ftps gopher http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

operating system

Archlinux

uname -a
Linux myzion 5.9.10-arch1-1 #1 SMP PREEMPT Sun, 22 Nov 2020 14:16:59 +0000 x86_64 GNU/Linux
@bagder bagder added the TLS label Nov 27, 2020
@bagder
Copy link
Member

bagder commented Nov 27, 2020

So from where in libcurl is the openssl engine initialized, both times? Can you check?

@unreturned
Copy link
Author

unreturned commented Nov 27, 2020
edited

Hello!

I'm sorry, but my expertise in this question very poor. And probably I did not correctly name the problem.

But I found some, that can be possible usefull.

I try to look at

curl/lib/vtls/openssl.c

Line 1134 in c7b02c5

#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
and build curl with --disable-openssl-auto-load-config and it solves problem for me:

OPENSSL_CONF=/tmp/testgostengine/openssl.conf /tmp/curl/src/curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

And with this option curl reads file once:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf strace /tmp/curl/src/curl --insecure 'https://tlsgost-2001.cryptopro.ru/' 2>&1 | grep openssl.conf
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 6
read(6, "openssl_conf = openssl_def\n[open"..., 4096) = 262

$ strace /tmp/curl/src/curl --head 'https://google.com/' 2>&1 | grep openssl
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 6

By default ./configure, without option --disable-openssl-auto-load-config curl reads conf file twice:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf strace curl --insecure 'https://tlsgost-2001.cryptopro.ru/' 2>&1 | grep openssl.conf
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 3
read(3, "openssl_conf = openssl_def\n[open"..., 4096) = 262
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 6
read(6, "openssl_conf = openssl_def\n[open"..., 4096) = 262

$ strace curl --head 'https://google.com/' 2>&1 | grep openssl
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 6

Hope, this helps.

@jay jay mentioned this issue Nov 28, 2020
Closed
bagder added a commit that referenced this issue Nov 28, 2020
@bagder
openssl: avoid the CONF_*load_file on >= 1.1.0
d87bfe2 
... as that initialization is done automatically by OpenSSL itself these
days.

Reported-by: Kovalkov Dmitrii and Per Nilsson
Fixes #6254
Fixes #6256
Closes #
@bagder bagder mentioned this issue Nov 28, 2020
Closed
bagder added a commit that referenced this issue Nov 30, 2020
@bagder
openssl: use OPENSSL_init_ssl() with >= 1.0.0
2f85b70 
Reported-by: Kovalkov Dmitrii and Per Nilsson
Fixes #6254
Fixes #6256
Closes #
bagder added a commit that referenced this issue Dec 2, 2020
@bagder
openssl: use OPENSSL_init_ssl() with >= 1.1.0
bd24270 
Reported-by: Kovalkov Dmitrii and Per Nilsson
Fixes #6254
Fixes #6256
Closes #6260
@bagder bagder closed this as completed in 1835cb9 Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: use OPENSSL_init_ssl() with >= 1.1.0 curl/curl
2 participants
@bagder @unreturned