Skip to content
Permalink
Browse files

configure: add option to disable automatic OpenSSL config loading

Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes #2724
Closes #2791
  • Loading branch information...
pwaehnert authored and bagder committed Jul 25, 2018
1 parent c515294 commit 6684653b682bae0be75ea62bb473b126923952f1
Showing with 25 additions and 0 deletions.
  1. +14 −0 configure.ac
  2. +2 −0 lib/vtls/openssl.c
  3. +6 −0 winbuild/Makefile.vc
  4. +3 −0 winbuild/MakefileBuild.vc
@@ -1876,6 +1876,20 @@ if test "$OPENSSL_ENABLED" = "1"; then
])
fi

dnl ---
dnl Whether the OpenSSL configuration will be loaded automatically
dnl ---
if test X"$OPENSSL_ENABLED" = X"1"; then
AC_ARG_ENABLE(openssl-auto-load-config,
AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration])
AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]),
[ if test X"$enableval" = X"no"; then
AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled])
AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically])
fi
])
fi

dnl ----------------------------------------------------
dnl check for GnuTLS
dnl ----------------------------------------------------
@@ -994,9 +994,11 @@ static int Curl_ossl_init(void)
#define CONF_MFLAGS_DEFAULT_SECTION 0x0
#endif

#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
CONF_modules_load_file(NULL, NULL,
CONF_MFLAGS_DEFAULT_SECTION|
CONF_MFLAGS_IGNORE_MISSING_FILE);
#endif

#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!defined(LIBRESSL_VERSION_NUMBER)
@@ -53,6 +53,8 @@ CFGSET=true
!MESSAGE ENABLE_IPV6=<yes or no> - Enable IPv6, defaults to yes
!MESSAGE ENABLE_SSPI=<yes or no> - Enable SSPI support, defaults to yes
!MESSAGE ENABLE_WINSSL=<yes or no> - Enable native Windows SSL support, defaults to yes
!MESSAGE ENABLE_OPENSSL_AUTO_LOAD_CONFIG=<yes or no>
!MESSAGE - Whether the OpenSSL configuration will be loaded automatically, defaults to yes
!MESSAGE GEN_PDB=<yes or no> - Generate Program Database (debug symbols for release build)
!MESSAGE DEBUG=<yes or no> - Debug builds
!MESSAGE MACHINE=<x86 or x64> - Target architecture (default x64 on AMD64, x86 on others)
@@ -130,6 +132,10 @@ USE_WINSSL = true
USE_WINSSL = false
!ENDIF

!IFNDEF ENABLE_OPENSSL_AUTO_LOAD_CONFIG
ENABLE_OPENSSL_AUTO_LOAD_CONFIG = true
!ENDIF

CONFIG_NAME_LIB = libcurl

!IF "$(WITH_SSL)"=="dll"
@@ -152,6 +152,9 @@ SSL_CFLAGS = /DUSE_OPENSSL /I"$(SSL_INC_DIR)"
!IF EXISTS("$(SSL_INC_DIR)\is_boringssl.h")
SSL_CFLAGS = $(SSL_CFLAGS) /DHAVE_BORINGSSL
!ENDIF
!IF "$(ENABLE_OPENSSL_AUTO_LOAD_CONFIG)"=="false"
SSL_CFLAGS = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
!ENDIF
!ENDIF


0 comments on commit 6684653

Please sign in to comment.
You can’t perform that action at this time.