Hi, after quite some time trying to convert Apache httpd (and libapr) to new the OPENSSL_init/cleanup() 1.1 API, and wondering why openssl libs would not unload with mod_ssl as before (1.0 and earlier), I found the ELF NODELETE flag (gcc's -znodelete) and the new (no-)pinshared config option (though available in 1.1.1 only, not in 1.1.0 AFAICT). Unfortunately pinshared openssl can't work with the way httpd dlopen/close()s mod_ssl, which itself initializes and cleans up openssl, at each restart. Once openssl is cleaned up, it won't re-initialize due to internal static variables (and it worked so far in httpd because all the legacy cleanup methods currently used, like OBJ/EVP/ENGINE_cleanup, are all no-ops now). IIUC from some previous threads on this list, the new way to cleanup openssl is to not cleanup (explicitely), which causes issues with some usages obviously (and is possibly why build time no-pinshared and run time OPENSSL_INIT_NO_ATEXIT appeared in 1.1.1). So my question is, why isn't no-pinshared the default? ISTM that pinshared is enabled on linux only, and linux has __cxa_atexit semantics for atexit() already, so dlclose() should already call OPENSSL_cleanup() when needed. Thus with OPENSSL_INIT_NO_ATEXIT now available the user could choose at runtime whether (s)he wants to call OPENSSL_cleanup() explicitely or let openssl clean up by itself. Of course one can build his/her own openssl with no-pinshared, but I suppose distros don't, so all software that need to unload openssl need to build their own one... Another concern is that none of no-pinshared and OPENSSL_INIT_NO_ATEXIT is available in 1.1.0. Am I missing something? Regards, Yann.
