Unverified Commit 6684653b authored by Philipp Waehnert's avatar Philipp Waehnert Committed by Daniel Stenberg
Browse files

configure: add option to disable automatic OpenSSL config loading 

Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes #2724
Closes #2791
parent c515294c

configure.ac

+14 −0
Original line number Diff line number Diff line
@@ -1876,6 +1876,20 @@ if test "$OPENSSL_ENABLED" = "1"; then 
   ])

fi



dnl ---

dnl Whether the OpenSSL configuration will be loaded automatically

dnl ---

if test X"$OPENSSL_ENABLED" = X"1"; then

AC_ARG_ENABLE(openssl-auto-load-config,

AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration])

AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]),

[ if test X"$enableval" = X"no"; then

    AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled])

    AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically])

  fi

])

fi



dnl ----------------------------------------------------

dnl check for GnuTLS

dnl ----------------------------------------------------

lib/vtls/openssl.c

+2 −0
Original line number Diff line number Diff line
@@ -994,9 +994,11 @@ static int Curl_ossl_init(void) 
#define CONF_MFLAGS_DEFAULT_SECTION 0x0

#endif



#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG

  CONF_modules_load_file(NULL, NULL,

                         CONF_MFLAGS_DEFAULT_SECTION|

                         CONF_MFLAGS_IGNORE_MISSING_FILE);

#endif



#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \

    !defined(LIBRESSL_VERSION_NUMBER)

winbuild/Makefile.vc

+6 −0
Original line number Diff line number Diff line
@@ -53,6 +53,8 @@ CFGSET=true 
!MESSAGE   ENABLE_IPV6=<yes or no>        - Enable IPv6, defaults to yes

!MESSAGE   ENABLE_SSPI=<yes or no>        - Enable SSPI support, defaults to yes

!MESSAGE   ENABLE_WINSSL=<yes or no>      - Enable native Windows SSL support, defaults to yes

!MESSAGE   ENABLE_OPENSSL_AUTO_LOAD_CONFIG=<yes or no>

!MESSAGE                                  - Whether the OpenSSL configuration will be loaded automatically, defaults to yes

!MESSAGE   GEN_PDB=<yes or no>            - Generate Program Database (debug symbols for release build)

!MESSAGE   DEBUG=<yes or no>              - Debug builds

!MESSAGE   MACHINE=<x86 or x64>           - Target architecture (default x64 on AMD64, x86 on others)
@@ -130,6 +132,10 @@ USE_WINSSL = true 
USE_WINSSL = false

!ENDIF



!IFNDEF ENABLE_OPENSSL_AUTO_LOAD_CONFIG

ENABLE_OPENSSL_AUTO_LOAD_CONFIG = true

!ENDIF



CONFIG_NAME_LIB = libcurl



!IF "$(WITH_SSL)"=="dll"

winbuild/MakefileBuild.vc

+3 −0
Original line number Diff line number Diff line
@@ -152,6 +152,9 @@ SSL_CFLAGS = /DUSE_OPENSSL /I"$(SSL_INC_DIR)" 
!IF EXISTS("$(SSL_INC_DIR)\is_boringssl.h")

SSL_CFLAGS   = $(SSL_CFLAGS) /DHAVE_BORINGSSL

!ENDIF

!IF "$(ENABLE_OPENSSL_AUTO_LOAD_CONFIG)"=="false"

SSL_CFLAGS   = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG

!ENDIF

!ENDIF