[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    [openssl-users] Manual Shutdown of OpenSSL 1.1.x  library
From:       Dan Heinz <dheinz () softwarekey ! com>
Date:       2018-04-26 12:50:57
Message-ID: CY1PR0601MB1577AB4700CCE0E83E952703D98E0 () CY1PR0601MB1577 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]

We have not moved from OpenSSL 1.0.x to OpenSSL 1.1.x as we require the abi=
lity to manually shutdown the library.  We noticed in the latest release no=
tes the following:
"Modify compression code so it frees up structures without using the ex_dat=
a callbacks. This works around a problem where some applications call CRYPT=
O_cleanup_all_ex_data() before application exit (e.g. when restarting) then=
 use compression (e.g. SSL with compression) later. This results in signifi=
cant per-connection memory leaks and has caused some security issues includ=
ing CVE-2008-1678 and CVE-2009-4355".

Is there now a way to manually shutdown the library?

To summarize: We have a DLL that statically links OpenSSL.  Our DLL gets lo=
aded and unloaded multiple times by a process (not our process), and we nee=
d to release OpenSSL each time.  This was not possible with OpenSSL 1.1 as =
of September 2017 as the process's atexit is where it gets released which w=
ill not be called after a FreeLibrary() call on our DLL.  Has this been rev=
isited?  If there now a way to manually release OpenSSL, or are there any p=
lans to add this ability?

From the previous post, something like this would address the issue: "I'm w=
ondering whether an option to override the default behavior might be possib=
le, e.g. an explicit call to OPENSSL_init_crypto() with something like an O=
PENSSL_INIT_NO_ATEXIT_CLEANUP option. The application would then have to ca=
ll OPENSSL_cleanup() explicitly."
Original issue posted with discussion:
https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">We have not moved from OpenSSL 1.0.x to OpenSSL 1.1.x as we \
require the ability to manually shutdown the library.&nbsp; We noticed in the latest \
release notes the following:<br> &#8220;Modify compression code so it frees up \
structures without using the ex_data callbacks. This works around a problem where \
some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. \
when restarting) then use compression (e.g. SSL with  compression) later. This \
results in significant per-connection memory leaks and has caused some security \
issues including CVE-2008-1678 and CVE-2009-4355&#8221;.<o:p></o:p></p> <p \
class="MsoNormal"><o:p>&nbsp;</o:p></p> <p class="MsoNormal">Is there now a way to \
manually shutdown the library?&nbsp; <o:p></o:p></p> <p>To summarize: We have a DLL \
that statically links OpenSSL.&nbsp; Our DLL gets loaded and unloaded multiple times \
by a process (not our process), and we need to release OpenSSL each time.&nbsp; This \
was not possible with OpenSSL 1.1 as of September 2017 as the process&#8217;s  atexit \
is where it gets released which will not be called after a FreeLibrary() call on our \
DLL.&nbsp; Has this been revisited?&nbsp; If there now a way to manually release \
OpenSSL, or are there any plans to add this ability?<o:p></o:p></p> <p>From the \
previous post, something like this would address the issue: &#8220;I'm wondering \
whether an option to override the default behavior might be possible, e.g. an \
explicit call to OPENSSL_init_crypto() with something like an \
OPENSSL_INIT_NO_ATEXIT_CLEANUP  option. The application would then have to call \
OPENSSL_cleanup() explicitly.&#8221;<o:p></o:p></p> <p class="MsoNormal">Original \
issue posted with discussion:<o:p></o:p></p> <p class="MsoNormal"><a \
href="https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html">https://www.mail-archive.com/openssl-users@openssl.org/msg80781.html</a><o:p></o:p></p>
 <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--===============0608052110086773690==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic