[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: [openssl-users] Manual Shutdown of OpenSSL 1.1.x library
From: Dan Heinz <dheinz () softwarekey ! com>
Date: 2018-04-26 12:50:57
Message-ID: CY1PR0601MB1577AB4700CCE0E83E952703D98E0 () CY1PR0601MB1577 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]
We have not moved from OpenSSL 1.0.x to OpenSSL 1.1.x as we require the abi=
lity to manually shutdown the library. We noticed in the latest release no=
tes the following:
"Modify compression code so it frees up structures without using the ex_dat=
a callbacks. This works around a problem where some applications call CRYPT=
O_cleanup_all_ex_data() before application exit (e.g. when restarting) then=
use compression (e.g. SSL with compression) later. This results in signifi=
cant per-connection memory leaks and has caused some security issues includ=
ing CVE-2008-1678 and CVE-2009-4355".
Is there now a way to manually shutdown the library?
To summarize: We have a DLL that statically links OpenSSL. Our DLL gets lo=
aded and unloaded multiple times by a process (not our process), and we nee=
d to release OpenSSL each time. This was not possible with OpenSSL 1.1 as =
of September 2017 as the process's atexit is where it gets released which w=
ill not be called after a FreeLibrary() call on our DLL. Has this been rev=
isited? If there now a way to manually release OpenSSL, or are there any p=
lans to add this ability?
From the previous post, something like this would address the issue: "I'm w=
ondering whether an option to override the default behavior might be possib=
le, e.g. an explicit call to OPENSSL_init_crypto() with something like an O=
PENSSL_INIT_NO_ATEXIT_CLEANUP option. The application would then have to ca=
ll OPENSSL_cleanup() explicitly."
Original issue posted with discussion:
https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">We have not moved from OpenSSL 1.0.x to OpenSSL 1.1.x as we \
require the ability to manually shutdown the library. We noticed in the latest \
release notes the following:<br> “Modify compression code so it frees up \
structures without using the ex_data callbacks. This works around a problem where \
some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. \
when restarting) then use compression (e.g. SSL with compression) later. This \
results in significant per-connection memory leaks and has caused some security \
issues including CVE-2008-1678 and CVE-2009-4355”.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Is there now a way to \
manually shutdown the library? <o:p></o:p></p> <p>To summarize: We have a DLL \
that statically links OpenSSL. Our DLL gets loaded and unloaded multiple times \
by a process (not our process), and we need to release OpenSSL each time. This \
was not possible with OpenSSL 1.1 as of September 2017 as the process’s atexit \
is where it gets released which will not be called after a FreeLibrary() call on our \
DLL. Has this been revisited? If there now a way to manually release \
OpenSSL, or are there any plans to add this ability?<o:p></o:p></p> <p>From the \
previous post, something like this would address the issue: “I'm wondering \
whether an option to override the default behavior might be possible, e.g. an \
explicit call to OPENSSL_init_crypto() with something like an \
OPENSSL_INIT_NO_ATEXIT_CLEANUP option. The application would then have to call \
OPENSSL_cleanup() explicitly.”<o:p></o:p></p> <p class="MsoNormal">Original \
issue posted with discussion:<o:p></o:p></p> <p class="MsoNormal"><a \
href="https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html">https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--===============0608052110086773690==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic