diff --git a/SOURCES/bz1688892-fix-openssl-init-config-check.patch b/SOURCES/bz1688892-fix-openssl-init-config-check.patch
new file mode 100644
index 0000000..b77f498
--- /dev/null
+++ b/SOURCES/bz1688892-fix-openssl-init-config-check.patch
@@ -0,0 +1,76 @@
+From 1f2b558da9f631a635e9b099b455696b1903bee4 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 15 Mar 2019 00:12:19 +0000
+Subject: [PATCH 3/3] Fix some configure tested checks for OPENSSL_init_crypto
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ genhash/ssl.c | 6 +++---
+ keepalived/check/check_ssl.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/genhash/ssl.c b/genhash/ssl.c
+index 96f51201..0574675a 100644
+--- a/genhash/ssl.c
++++ b/genhash/ssl.c
+@@ -44,7 +44,7 @@ void
+ init_ssl(void)
+ {
+ /* Library initialization */
+-#if HAVE_OPENSSL_INIT_CRYPTO
++#ifdef HAVE_OPENSSL_INIT_CRYPTO
+ #ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+@@ -59,7 +59,7 @@ init_ssl(void)
+ #endif
+
+ /* Initialize SSL context */
+-#if HAVE_TLS_METHOD
++#ifdef HAVE_TLS_METHOD
+ req->meth = TLS_method();
+ #else
+ req->meth = SSLv23_method();
+@@ -123,7 +123,7 @@ ssl_connect(thread_t * thread)
+ }
+
+ BIO_set_nbio(sock_obj->bio, 1); /* Set the Non-Blocking flag */
+-#if HAVE_SSL_SET0_RBIO
++#ifdef HAVE_SSL_SET0_RBIO
+ BIO_up_ref(sock_obj->bio);
+ SSL_set0_rbio(sock_obj->ssl, sock_obj->bio);
+ SSL_set0_wbio(sock_obj->ssl, sock_obj->bio);
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index 2743ea87..58061b91 100644
+--- a/keepalived/check/check_ssl.c
++++ b/keepalived/check/check_ssl.c
+@@ -68,7 +68,7 @@ build_ssl_ctx(void)
+ ssl_data_t *ssl;
+
+ /* Library initialization */
+-#if HAVE_OPENSSL_INIT_CRYPTO
++#ifdef HAVE_OPENSSL_INIT_CRYPTO
+ #ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+@@ -88,7 +88,7 @@ build_ssl_ctx(void)
+ ssl = check_data->ssl;
+
+ /* Initialize SSL context */
+-#if HAVE_TLS_METHOD
++#ifdef HAVE_TLS_METHOD
+ ssl->meth = TLS_method();
+ #else
+ ssl->meth = SSLv23_method();
+@@ -226,7 +226,7 @@ ssl_connect(thread_t * thread, int new_req)
+
+ BIO_get_fd(req->bio, &bio_fd);
+ fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC);
+-#if HAVE_SSL_SET0_RBIO
++#ifdef HAVE_SSL_SET0_RBIO
+ BIO_up_ref(req->bio);
+ SSL_set0_rbio(req->ssl, req->bio);
+ SSL_set0_wbio(req->ssl, req->bio);
+--
+2.20.1
+
diff --git a/SOURCES/bz1688892-fix-openssl-init-configure.patch b/SOURCES/bz1688892-fix-openssl-init-configure.patch
new file mode 100644
index 0000000..43ec64b
--- /dev/null
+++ b/SOURCES/bz1688892-fix-openssl-init-configure.patch
@@ -0,0 +1,409 @@
+--- a/configure 2018-11-12 13:40:33.000000000 -0600
++++ b/configure 2019-03-18 11:29:03.305427768 -0500
+@@ -730,7 +730,6 @@
+ AMDEPBACKSLASH
+ AMDEP_FALSE
+ AMDEP_TRUE
+-am__quote
+ am__include
+ DEPDIR
+ OBJEXT
+@@ -790,7 +789,6 @@
+ docdir
+ oldincludedir
+ includedir
+-runstatedir
+ localstatedir
+ sharedstatedir
+ sysconfdir
+@@ -809,7 +807,8 @@
+ PACKAGE_TARNAME
+ PACKAGE_NAME
+ PATH_SEPARATOR
+-SHELL'
++SHELL
++am__quote'
+ ac_subst_files=''
+ ac_user_opts='
+ enable_option_checking
+@@ -925,7 +924,6 @@
+ sysconfdir='${prefix}/etc'
+ sharedstatedir='${prefix}/com'
+ localstatedir='${prefix}/var'
+-runstatedir='${localstatedir}/run'
+ includedir='${prefix}/include'
+ oldincludedir='/usr/include'
+ docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+@@ -1178,15 +1176,6 @@
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
+- -runstatedir | --runstatedir | --runstatedi | --runstated \
+- | --runstate | --runstat | --runsta | --runst | --runs \
+- | --run | --ru | --r)
+- ac_prev=runstatedir ;;
+- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+- | --run=* | --ru=* | --r=*)
+- runstatedir=$ac_optarg ;;
+-
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+@@ -1324,7 +1313,7 @@
+ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+- libdir localedir mandir runstatedir
++ libdir localedir mandir
+ do
+ eval ac_val=\$$ac_var
+ # Remove trailing slashes.
+@@ -1477,7 +1466,6 @@
+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
+- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
+ --libdir=DIR object code libraries [EPREFIX/lib]
+ --includedir=DIR C header files [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
+@@ -2689,7 +2677,7 @@
+ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+-am__api_version='1.15'
++am__api_version='1.16'
+
+ ac_aux_dir=
+ for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
+@@ -3234,8 +3222,8 @@
+
+ # For better backward compatibility. To be removed once Automake 1.9.x
+ # dies out for good. For more background, see:
+-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
+-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
++# <https://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
++# <https://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
+ mkdir_p='$(MKDIR_P)'
+
+ # We need awk for the "check" target (and possibly the TAP driver). The
+@@ -3286,7 +3274,7 @@
+ Aborting the configuration process, to ensure you take notice of the issue.
+
+ You can download and install GNU coreutils to get an 'rm' implementation
+-that behaves properly: <http://www.gnu.org/software/coreutils/>.
++that behaves properly: <https://www.gnu.org/software/coreutils/>.
+
+ If you want to complete the configuration process using your problematic
+ 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
+@@ -4650,45 +4638,45 @@
+
+ ac_config_commands="$ac_config_commands depfiles"
+
+-
+-am_make=${MAKE-make}
+-cat > confinc << 'END'
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} supports the include directive" >&5
++$as_echo_n "checking whether ${MAKE-make} supports the include directive... " >&6; }
++cat > confinc.mk << 'END'
+ am__doit:
+- @echo this is the am__doit target
++ @echo this is the am__doit target >confinc.out
+ .PHONY: am__doit
+ END
+-# If we don't find an include directive, just comment out the code.
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5
+-$as_echo_n "checking for style of include used by $am_make... " >&6; }
+ am__include="#"
+ am__quote=
+-_am_result=none
+-# First try GNU make style include.
+-echo "include confinc" > confmf
+-# Ignore all kinds of additional output from 'make'.
+-case `$am_make -s -f confmf 2> /dev/null` in #(
+-*the\ am__doit\ target*)
+- am__include=include
+- am__quote=
+- _am_result=GNU
+- ;;
+-esac
+-# Now try BSD make style include.
+-if test "$am__include" = "#"; then
+- echo '.include "confinc"' > confmf
+- case `$am_make -s -f confmf 2> /dev/null` in #(
+- *the\ am__doit\ target*)
+- am__include=.include
+- am__quote="\""
+- _am_result=BSD
++# BSD make does it like this.
++echo '.include "confinc.mk" # ignored' > confmf.BSD
++# Other make implementations (GNU, Solaris 10, AIX) do it like this.
++echo 'include confinc.mk # ignored' > confmf.GNU
++_am_result=no
++for s in GNU BSD; do
++ { echo "$as_me:$LINENO: ${MAKE-make} -f confmf.$s && cat confinc.out" >&5
++ (${MAKE-make} -f confmf.$s && cat confinc.out) >&5 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }
++ case $?:`cat confinc.out 2>/dev/null` in #(
++ '0:this is the am__doit target') :
++ case $s in #(
++ BSD) :
++ am__include='.include' am__quote='"' ;; #(
++ *) :
++ am__include='include' am__quote='' ;;
++esac ;; #(
++ *) :
+ ;;
+- esac
+-fi
+-
+-
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5
+-$as_echo "$_am_result" >&6; }
+-rm -f confinc confmf
++esac
++ if test "$am__include" != "#"; then
++ _am_result="yes ($s style)"
++ break
++ fi
++done
++rm -f confinc.* confmf.*
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${_am_result}" >&5
++$as_echo "${_am_result}" >&6; }
+
+ # Check whether --enable-dependency-tracking was given.
+ if test "${enable_dependency_tracking+set}" = set; then :
+@@ -7506,8 +7494,8 @@
+ done
+
+
+-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
+-for ac_func in SSL_set0_rbio OPENSSL_init_crypto
++# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
++for ac_func in SSL_set0_rbio OPENSSL_init_crypto TLS_method
+ do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+@@ -7520,19 +7508,62 @@
+ done
+
+
+-# TLS_method() introduced OpenSSL v1.1.0
+-for ac_func in TLS_method
+-do :
+- ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method"
+-if test "x$ac_cv_func_TLS_method" = xyes; then :
+- cat >>confdefs.h <<_ACEOF
+-#define HAVE_TLS_METHOD 1
+-_ACEOF
++# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
++# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
++if test .$ac_cv_func_OPENSSL_init_crypto = .yes; then :
+
++ if test .$ac_cv_func_TLS_method = .yes; then :
++ method_func=TLS_method
++else
++ method_func=SSLv23_method
+ fi
+-done
++ if test "$cross_compiling" = yes; then :
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&5
++$as_echo "$as_me: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&2;}
++ openssl_init_no_load_bug=1
++
++
++else
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include <openssl/ssl.h>
++int
++main ()
++{
++
++ const SSL_METHOD *meth;
++ SSL_CTX *ctx;
++
++ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
++ return 1;
+
++ /* Initialize SSL context */
++ meth = $method_func();
++ if (!(ctx = SSL_CTX_new(meth)))
++ return 1;
++ return 0;
+
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_run "$LINENO"; then :
++ openssl_init_no_load_bug=0
++else
++ openssl_init_no_load_bug=1
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++ conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
++
++ if test $openssl_init_no_load_bug -eq 1; then :
++
++$as_echo "#define HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG 1 " >>confdefs.h
++
++fi
++
++fi
+ unset LIBS
+
+ if test $BUILD_GENHASH = No; then
+@@ -12695,7 +12726,7 @@
+ #
+ # INIT-COMMANDS
+ #
+-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
++AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}"
+
+ _ACEOF
+
+@@ -13322,29 +13353,35 @@
+ # Older Autoconf quotes --file arguments for eval, but not when files
+ # are listed without --file. Let's play safe and only enable the eval
+ # if we detect the quoting.
+- case $CONFIG_FILES in
+- *\'*) eval set x "$CONFIG_FILES" ;;
+- *) set x $CONFIG_FILES ;;
+- esac
++ # TODO: see whether this extra hack can be removed once we start
++ # requiring Autoconf 2.70 or later.
++ case $CONFIG_FILES in #(
++ *\'*) :
++ eval set x "$CONFIG_FILES" ;; #(
++ *) :
++ set x $CONFIG_FILES ;; #(
++ *) :
++ ;;
++esac
+ shift
+- for mf
++ # Used to flag and report bootstrapping failures.
++ am_rc=0
++ for am_mf
+ do
+ # Strip MF so we end up with the name of the file.
+- mf=`echo "$mf" | sed -e 's/:.*$//'`
+- # Check whether this is an Automake generated Makefile or not.
+- # We used to match only the files named 'Makefile.in', but
+- # some people rename them; so instead we look at the file content.
+- # Grep'ing the first line is not enough: some people post-process
+- # each Makefile.in and add a new line on top of each file to say so.
+- # Grep'ing the whole file is not good either: AIX grep has a line
++ am_mf=`$as_echo "$am_mf" | sed -e 's/:.*$//'`
++ # Check whether this is an Automake generated Makefile which includes
++ # dependency-tracking related rules and includes.
++ # Grep'ing the whole file directly is not great: AIX grep has a line
+ # limit of 2048, but all sed's we know have understand at least 4000.
+- if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
+- dirpart=`$as_dirname -- "$mf" ||
+-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+- X"$mf" : 'X\(//\)[^/]' \| \
+- X"$mf" : 'X\(//\)$' \| \
+- X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
+-$as_echo X"$mf" |
++ sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \
++ || continue
++ am_dirpart=`$as_dirname -- "$am_mf" ||
++$as_expr X"$am_mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++ X"$am_mf" : 'X\(//\)[^/]' \| \
++ X"$am_mf" : 'X\(//\)$' \| \
++ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$am_mf" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+@@ -13362,53 +13399,48 @@
+ q
+ }
+ s/.*/./; q'`
+- else
+- continue
+- fi
+- # Extract the definition of DEPDIR, am__include, and am__quote
+- # from the Makefile without running 'make'.
+- DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+- test -z "$DEPDIR" && continue
+- am__include=`sed -n 's/^am__include = //p' < "$mf"`
+- test -z "$am__include" && continue
+- am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+- # Find all dependency output files, they are included files with
+- # $(DEPDIR) in their names. We invoke sed twice because it is the
+- # simplest approach to changing $(DEPDIR) to its actual value in the
+- # expansion.
+- for file in `sed -n "
+- s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+- sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do
+- # Make sure the directory exists.
+- test -f "$dirpart/$file" && continue
+- fdir=`$as_dirname -- "$file" ||
+-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+- X"$file" : 'X\(//\)[^/]' \| \
+- X"$file" : 'X\(//\)$' \| \
+- X"$file" : 'X\(/\)' \| . 2>/dev/null ||
+-$as_echo X"$file" |
+- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+- s//\1/
+- q
+- }
+- /^X\(\/\/\)[^/].*/{
++ am_filepart=`$as_basename -- "$am_mf" ||
++$as_expr X/"$am_mf" : '.*/\([^/][^/]*\)/*$' \| \
++ X"$am_mf" : 'X\(//\)$' \| \
++ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X/"$am_mf" |
++ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+- /^X\(\/\/\)$/{
++ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+- /^X\(\/\).*/{
++ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+- as_dir=$dirpart/$fdir; as_fn_mkdir_p
+- # echo "creating $dirpart/$file"
+- echo '# dummy' > "$dirpart/$file"
+- done
++ { echo "$as_me:$LINENO: cd "$am_dirpart" \
++ && sed -e '/# am--include-marker/d' "$am_filepart" \
++ | $MAKE -f - am--depfiles" >&5
++ (cd "$am_dirpart" \
++ && sed -e '/# am--include-marker/d' "$am_filepart" \
++ | $MAKE -f - am--depfiles) >&5 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } || am_rc=$?
+ done
++ if test $am_rc -ne 0; then
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "Something went wrong bootstrapping makefile fragments
++ for automatic dependency tracking. Try re-running configure with the
++ '--disable-dependency-tracking' option to at least be able to build
++ the package (albeit without support for automatic dependency tracking).
++See \`config.log' for more details" "$LINENO" 5; }
++ fi
++ { am_dirpart=; unset am_dirpart;}
++ { am_filepart=; unset am_filepart;}
++ { am_mf=; unset am_mf;}
++ { am_rc=; unset am_rc;}
++ rm -f conftest-deps.mk
+ }
+ ;;
+
diff --git a/SOURCES/bz1688892-fix-openssl-init-failure.patch b/SOURCES/bz1688892-fix-openssl-init-failure.patch
new file mode 100644
index 0000000..4a8f64a
--- /dev/null
+++ b/SOURCES/bz1688892-fix-openssl-init-failure.patch
@@ -0,0 +1,81 @@
+From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 12 Mar 2019 14:58:38 +0000
+Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1
+
+OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
+if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
+been called.
+
+This commit doesn't call OPENSSL_init_crypto() if doing so causes
+SSL_CTX_new() to fail.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ configure.ac | 30 ++++++++++++++++++++++++++++++
+ keepalived/check/check_ssl.c | 6 ++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 89399ca3..504b9b92 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
+ # TLS_method() introduced OpenSSL v1.1.0
+ AC_CHECK_FUNCS([TLS_method])
+
++# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
++# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
++AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
++ [
++ AC_RUN_IFELSE(
++ [AC_LANG_PROGRAM(
++ [[#include <openssl/ssl.h>]],
++ [[
++ const SSL_METHOD *meth;
++ SSL_CTX *ctx;
++
++ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
++ return 1;
++
++ /* Initialize SSL context */
++ meth = TLS_method();
++ if (!(ctx = SSL_CTX_new(meth)))
++ return 1;
++ return 0;
++ ]])],
++ [openssl_init_no_load_bug=0],
++ [openssl_init_no_load_bug=1],
++ [
++ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])
++ openssl_init_no_load_bug=1
++ ]
++ )
++ AS_IF([test $openssl_init_no_load_bug -eq 1],
++ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])
++ ])
+ unset LIBS
+
+ if test $BUILD_GENHASH = No; then
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index 6bf6a005..2743ea87 100644
+--- a/keepalived/check/check_ssl.c
++++ b/keepalived/check/check_ssl.c
+@@ -69,8 +69,14 @@ build_ssl_ctx(void)
+
+ /* Library initialization */
+ #if HAVE_OPENSSL_INIT_CRYPTO
++#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
++ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
++ * It works in v1.1.0h and v1.1.1b.
++ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
++ * presumably more efficient not to load it. */
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ log_message(LOG_INFO, "OPENSSL_init_crypto failed");
++#endif
+ #else
+ SSL_library_init();
+ SSL_load_error_strings();
+--
+2.20.1
+
diff --git a/SOURCES/bz1688892-fix-openssl-init-genhash.patch b/SOURCES/bz1688892-fix-openssl-init-genhash.patch
new file mode 100644
index 0000000..a9251f3
--- /dev/null
+++ b/SOURCES/bz1688892-fix-openssl-init-genhash.patch
@@ -0,0 +1,72 @@
+From 5e1a2130340ea4fabc4095b412c8b3836d112828 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 13 Mar 2019 09:46:27 +0000
+Subject: [PATCH 2/3] Fix genhash re OPENSSL_init_crypto bug and improve
+ configure.ac
+
+Commit fe6d6ac (Fix OpenSSL init failure with OpenSSL v1.1.1) didn't
+update the identical code in genhash/ssl.c. Also, an improvement for
+the test in configure.ac was suggested.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ configure.ac | 12 +++++-------
+ genhash/ssl.c | 6 ++++++
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 504b9b92..c964a11e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -813,16 +813,14 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ # SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a
+ AC_CHECK_FUNCS([SSL_CTX_set_verify_depth])
+
+-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
+-AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
+-
+-# TLS_method() introduced OpenSSL v1.1.0
+-AC_CHECK_FUNCS([TLS_method])
++# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
++AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto TLS_method])
+
+ # In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+ # OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+-AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
++AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes],
+ [
++ AS_IF([test .$ac_cv_func_TLS_method = .yes], [method_func=TLS_method], [method_func=SSLv23_method])
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <openssl/ssl.h>]],
+@@ -834,7 +832,7 @@ AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method =
+ return 1;
+
+ /* Initialize SSL context */
+- meth = TLS_method();
++ meth = $method_func();
+ if (!(ctx = SSL_CTX_new(meth)))
+ return 1;
+ return 0;
+diff --git a/genhash/ssl.c b/genhash/ssl.c
+index 8e9162c8..96f51201 100644
+--- a/genhash/ssl.c
++++ b/genhash/ssl.c
+@@ -45,8 +45,14 @@ init_ssl(void)
+ {
+ /* Library initialization */
+ #if HAVE_OPENSSL_INIT_CRYPTO
++#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
++ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
++ * It works in v1.1.0h and v1.1.1b.
++ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
++ * presumably more efficient not to load it. */
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ fprintf(stderr, "OPENSSL_init_crypto failed\n");
++#endif
+ #else
+ SSL_library_init();
+ SSL_load_error_strings();
+--
+2.20.1
+
diff --git a/SPECS/keepalived.spec b/SPECS/keepalived.spec
index 7e608f0..997e502 100644
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@@ -9,7 +9,7 @@
Name: keepalived
Summary: High Availability monitor built upon LVS, VRRP and service pollers
Version: 2.0.10
-Release: 1%{?dist}
+Release: 4%{?dist}.1
License: GPLv2+
URL: http://www.keepalived.org/
Group: System Environment/Daemons
@@ -17,6 +17,11 @@ Group: System Environment/Daemons
Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
Source1: keepalived.service
+Patch1: bz1688892-fix-openssl-init-failure.patch
+Patch2: bz1688892-fix-openssl-init-genhash.patch
+Patch3: bz1688892-fix-openssl-init-config-check.patch
+Patch4: bz1688892-fix-openssl-init-configure.patch
+
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@@ -25,9 +30,11 @@ Requires(postun): systemd
BuildRequires: net-snmp-devel
%endif
BuildRequires: gcc
+BuildRequires: automake
BuildRequires: systemd-units
BuildRequires: openssl-devel
BuildRequires: libnl3-devel
+BuildRequires: ipset-devel
BuildRequires: iptables-devel
BuildRequires: libnfnetlink-devel
@@ -47,6 +54,10 @@ infrastructures.
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%build
%configure \
@@ -96,10 +107,22 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
%{_mandir}/man8/keepalived.8*
%changelog
+* Thu Apr 04 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-4.1
+- Rebuild for z-stream (#1690306)
+
+* Wed Mar 27 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-4
+- Bump release number (#1688892)
+
+* Mon Mar 18 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-3
+- Rework fix for OpenSSL initialization segfault (#1688892)
+
+* Fri Mar 15 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-2
+- Fix OpenSSL initialization segfault (#1688892)
+
* Mon Nov 26 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.10-1
- Update to 2.0.10 (#1631816)
-* Mon Oct 06 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.7-2
+* Mon Oct 08 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.7-2
- Remove BuildRequires for ipset-devel
* Tue Oct 02 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.7-1