Fix OpenSSL config loading race condition for TLS engines

JackBoliangM · JackBoliangM · commit bbf385b30285 · 2026-03-03T14:45:34.000+13:00
When setting MOSQ_OPT_TLS_ENGINE, mosquitto_string_option()
initializes the OpenSSL singleton via OPENSSL_init_crypto
but omits the OPENSSL_INIT_LOAD_CONFIG flag.

If an engine is set before mosquitto_connect_async() (which
calls net__init_tls()), OpenSSL locks its initialization
state without reading openssl.cnf. This causes engines like
pkcs11 to fail to resolve their MODULE_PATH, resulting in
dlopen failures for hardware TrustZone/HSM modules.

Adding OPENSSL_INIT_LOAD_CONFIG to the engine initialization
ensures the configuration is parsed and the engine can locate
its dynamic backend.

Signed-off-by: Jack(Boliang) Ma &lt;jack.boliang.ma106@gmail.com&gt;
diff --git a/lib/options.c b/lib/options.c
@@ -295,7 +295,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 				/* The "Dynamic" OpenSSL engine is not initialized by default but
 				   is required by ENGINE_by_id() to find dynamically loadable engines */
-				OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL);
+				OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC | OPENSSL_INIT_ENGINE_DYNAMIC, NULL);
 #endif
 				eng = ENGINE_by_id(value);
 				if(!eng){
