Skip to content

Support loading custom OpenSSL provider#2357

Open
yadij wants to merge 5 commits intosquid-cache:masterfrom
yadij:arc-openssl-provider-1
Open

Support loading custom OpenSSL provider#2357
yadij wants to merge 5 commits intosquid-cache:masterfrom
yadij:arc-openssl-provider-1

Conversation

@yadij
Copy link
Contributor

@yadij yadij commented Jan 17, 2026

When using OpenSSL, allow Squid to use a specific
crypto provider named in ssl_provider.

Replaces any system-wide configuration specified
using openssl.conf.

@yadij
Support loading custom OpenSSL provider
adfe555 
When using OpenSSL, allow Squid to use a specific
crypto provider named in ssl_provider.

Replaces any system-wide configuration specified
using openssl.conf.
@yadij yadij added the feature maintainer needs documentation updates for merge label Jan 17, 2026
@yadij
Copy link
Contributor Author

yadij commented Jan 18, 2026

Existing builds will start to see something like this is cache.log on startup:

2026/01/18 20:46:55| Provider: default( name[24]=OpenSSL Default Provider, version[5]=3.5.4, buildinfo[5]=3.5.4, status=1 )

When ssl_provider legacy is configured:

2026/01/18 20:46:55| Provider: legacy( name[23]=OpenSSL Legacy Provider, version[5]=3.5.4, buildinfo[5]=3.5.4, status=1 )

@rousskov rousskov self-requested a review January 18, 2026 15:26
rousskov
rousskov requested changes Jan 18, 2026
View reviewed changes
Copy link
Contributor

@rousskov rousskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding this feature. I have not reviewed the entire PR yet, and will have more questions later, but these two change requests should allow you to make progress.

src/ssl/support.cc
if (::Config.SSL.ssl_provider) {
if (!OSSL_PROVIDER_load(nullptr, ::Config.SSL.ssl_provider)) {
const auto ssl_error = ERR_get_error();
fatalf("Failed to load SSL provider: %s\n", Security::ErrorString(ssl_error));
Copy link
Contributor

@rousskov rousskov Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do not call fatalf() when reacting to a configuration application failure. Throw an exception instead.

Copy link
Contributor Author

@yadij yadij Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this function is not only called during startup. It can be delayed and called later in Squid operation after a reconfigure. The exception handlers for that case are not yet reliable.

FWIW, I planned to fix the above situation with the project moving init things into runners. But that work got stalled.

@yadij yadij requested a review from rousskov January 18, 2026 23:52
@yadij yadij added the S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box label Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rousskov rousskov Awaiting requested review from rousskov

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

feature maintainer needs documentation updates for merge S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yadij @rousskov

Comments