cmk-agent-ctl: disable OpenSSL config auto-load to fix sles-16 register hang

nigelgbanks · nigelgbanks · commit ecb5efea32aa · 2026-06-26T15:26:58.000+02:00
The vendored OpenSSL (native-tls) auto-loaded the distro-supplied
/etc/ssl/openssl.cnf at init because SUP-28810 pointed OPENSSLDIR at
/etc/ssl. On SLES 16 that config enables provider auto-loading, which
deadlocks OpenSSL 3.x's recursive rwlock under musl during DRBG seeding
in SSL_CTX_new -- so `cmk-agent-ctl register` hangs forever (e.g. robotmk
test_linux_deployment), draining the integration-test session timeout.

We neither ship nor need an openssl.cnf for the agent controller, so
build the vendored OpenSSL with `no-autoload-config`. This keeps
SUP-28810's path stabilisation intact and restores the controller's
"never read openssl config files" invariant in fact, not just by intent.

Verified in a SLES 16.0 container: the shipped binary hangs 3/3, the
rebuilt binary completes 3/3 (even with OPENSSL_CONF=/etc/ssl/openssl.cnf
forced) and TLS still works.

CMK-35950

Change-Id: Ibe963a3f3a3717baee72e3205659d8e8b5c0d678
diff --git a/packages/host/patches/openssl-src-stable-paths.patch b/packages/host/patches/openssl-src-stable-paths.patch
@@ -17,6 +17,15 @@
 # libcrypto.so loaded at runtime inside a site; the agent binaries ship to
 # monitored hosts that have no /omd tree, so FHS is the correct choice.
 #
+# CMK-35950: with OPENSSLDIR pointed at /etc/ssl, the vendored OpenSSL would
+# otherwise auto-load the *distro-supplied* /etc/ssl/openssl.cnf at init. On
+# SLES 16 that config enables provider auto-loading, which deadlocks OpenSSL
+# 3.x's recursive rwlock under musl (benign on glibc) during DRBG seeding in
+# SSL_CTX_new -- so `cmk-agent-ctl register` hangs forever. We neither ship nor
+# need an openssl.cnf, so the configure hunk below adds `no-autoload-config` to
+# keep the "never read openssl config files" invariant true in fact, not just
+# by intent.
+#
 # Applied to a build-time copy of the locked openssl-src crate by
 # patch-vendored-openssl-src.sh. The hunks are anchored on src/lib.rs context; a
 # crate upgrade that moves them makes `patch` fail loudly rather than silently
@@ -32,6 +41,16 @@
          }
 
          // Specify that openssl directory where things are loaded at runtime is
+@@ -202,6 +202,9 @@
+             .arg("no-ssl3")
+             // No need to build tests, we won't run them anyway
+             .arg("no-tests")
++            // CMK-35950: do not auto-load the (distro-supplied) openssl.cnf at init.
++            // SLES16's provider config deadlocks OpenSSL 3.x's recursive rwlock under musl.
++            .arg("no-autoload-config")
+             // Nothing related to zlib please
+             .arg("no-comp")
+             .arg("no-zlib")
 @@ -610,7 +610,7 @@
 
              let mut install =
