configure: add option to disable automatic OpenSSL config loading

Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes #2724
Closes #2791

diff --git a/configure.ac b/configure.ac
index ff8f5df9b9d4b0a3f8b204b195ac9d8b6856eaec..1e068cb37ae98be60b9bc3f91b6fd45275631fa9 100755 (executable)
--- a/configure.ac
+++ b/configure.ac
@@ -1876,6 +1876,20 @@ if test "$OPENSSL_ENABLED" = "1"; then
    ])
 fi
 
+dnl ---
+dnl Whether the OpenSSL configuration will be loaded automatically
+dnl ---
+if test X"$OPENSSL_ENABLED" = X"1"; then
+AC_ARG_ENABLE(openssl-auto-load-config,
+AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration])
+AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]),
+[ if test X"$enableval" = X"no"; then
+    AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled])
+    AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically])
+  fi
+])
+fi
+
 dnl ----------------------------------------------------
 dnl check for GnuTLS
 dnl ----------------------------------------------------

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ce890fe3c0c55fab977bb517ca5bdbbde99b14e2..d257d949007b46084187b0e394ed85d4bf109890 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -994,9 +994,11 @@ static int Curl_ossl_init(void)
 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
 #endif
 
+#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
   CONF_modules_load_file(NULL, NULL,
                          CONF_MFLAGS_DEFAULT_SECTION|
                          CONF_MFLAGS_IGNORE_MISSING_FILE);
+#endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
     !defined(LIBRESSL_VERSION_NUMBER)

diff --git a/winbuild/Makefile.vc b/winbuild/Makefile.vc
index a874b77f83a2172b3f0edec4d5aa901387a6e8f4..7b42e1bdba2b2f20548ff4eed2a1ba42a4e6d950 100644 (file)
--- a/winbuild/Makefile.vc
+++ b/winbuild/Makefile.vc
@@ -53,6 +53,8 @@ CFGSET=true
 !MESSAGE   ENABLE_IPV6=<yes or no>        - Enable IPv6, defaults to yes
 !MESSAGE   ENABLE_SSPI=<yes or no>        - Enable SSPI support, defaults to yes
 !MESSAGE   ENABLE_WINSSL=<yes or no>      - Enable native Windows SSL support, defaults to yes
+!MESSAGE   ENABLE_OPENSSL_AUTO_LOAD_CONFIG=<yes or no>
+!MESSAGE                                  - Whether the OpenSSL configuration will be loaded automatically, defaults to yes
 !MESSAGE   GEN_PDB=<yes or no>            - Generate Program Database (debug symbols for release build)
 !MESSAGE   DEBUG=<yes or no>              - Debug builds
 !MESSAGE   MACHINE=<x86 or x64>           - Target architecture (default x64 on AMD64, x86 on others)
@@ -130,6 +132,10 @@ USE_WINSSL = true
 USE_WINSSL = false
 !ENDIF
 
+!IFNDEF ENABLE_OPENSSL_AUTO_LOAD_CONFIG
+ENABLE_OPENSSL_AUTO_LOAD_CONFIG = true
+!ENDIF
+
 CONFIG_NAME_LIB = libcurl
 
 !IF "$(WITH_SSL)"=="dll"

diff --git a/winbuild/MakefileBuild.vc b/winbuild/MakefileBuild.vc
index 019a414a0bcc0dbe2e8594711bbdb9f5ddb08b32..2b4087d583a402269bdd78f040640cd7ec379c00 100644 (file)
--- a/winbuild/MakefileBuild.vc
+++ b/winbuild/MakefileBuild.vc
@@ -152,6 +152,9 @@ SSL_CFLAGS   = /DUSE_OPENSSL /I"$(SSL_INC_DIR)"
 !IF EXISTS("$(SSL_INC_DIR)\is_boringssl.h")\r
 SSL_CFLAGS   = $(SSL_CFLAGS) /DHAVE_BORINGSSL\r
 !ENDIF\r
+!IF "$(ENABLE_OPENSSL_AUTO_LOAD_CONFIG)"=="false"\r
+SSL_CFLAGS   = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG\r
+!ENDIF\r
 !ENDIF\r
 \r
 \r