Skip to content

Fix OpenSSL config loading race condition for TLS engines#3533

Open
JackBoliangM wants to merge 1 commit intoeclipse-mosquitto:fixesfrom
JackBoliangM:fix-openssl-engine-config-fixes
Open

Fix OpenSSL config loading race condition for TLS engines#3533
JackBoliangM wants to merge 1 commit intoeclipse-mosquitto:fixesfrom
JackBoliangM:fix-openssl-engine-config-fixes

Conversation

@JackBoliangM
Copy link
Copy Markdown

@JackBoliangM JackBoliangM commented Mar 3, 2026

When setting MOSQ_OPT_TLS_ENGINE, mosquitto_string_option() initializes the OpenSSL singleton via OPENSSL_init_crypto but omits the OPENSSL_INIT_LOAD_CONFIG flag.

If an engine is set before mosquitto_connect_async() (which calls net__init_tls()), OpenSSL locks its initialization state without reading openssl.cnf. This causes engines like pkcs11 to fail to resolve their MODULE_PATH, resulting in dlopen failures for hardware TrustZone/HSM modules.

Example error log (Found under release/v2.0)

Unable to load module (null)
PKCS11_get_private_key returned NULL
[libmosq] level=8 Error: Unable to load engine private key file "<pkcs#11-uri>".
[libmosq] level=8 OpenSSL Error[0]: error:41000401:libp11::Unable to load PKCS#11 module
[libmosq] level=8 OpenSSL Error[1]: error:40000067:pkcs11 engine::invalid parameter
[libmosq] level=8 OpenSSL Error[2]: error:13000080:engine routines::failed loading private key

Adding OPENSSL_INIT_LOAD_CONFIG to the engine initialization ensures the configuration is parsed and the engine can locate its dynamic backend.

@JackBoliangM
Fix OpenSSL config loading race condition for TLS engines
5f98b74 
When setting MOSQ_OPT_TLS_ENGINE, mosquitto_string_option()
initializes the OpenSSL singleton via OPENSSL_init_crypto
but omits the OPENSSL_INIT_LOAD_CONFIG flag.

If an engine is set before mosquitto_connect_async() (which
calls net__init_tls()), OpenSSL locks its initialization
state without reading openssl.cnf. This causes engines like
pkcs11 to fail to resolve their MODULE_PATH, resulting in
dlopen failures for hardware TrustZone/HSM modules.

Adding OPENSSL_INIT_LOAD_CONFIG to the engine initialization
ensures the configuration is parsed and the engine can locate
its dynamic backend.

Signed-off-by: Jack(Boliang) Ma <jack.boliang.ma106@gmail.com>
@JackBoliangM JackBoliangM force-pushed the fix-openssl-engine-config-fixes branch from bbf385b to 5f98b74 Compare March 3, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JackBoliangM