[openssl-dev] OpenSSL version 1.1.0 pre release 3 published
Jouni Malinen
j at w1.fi
Mon Feb 15 20:52:27 UTC 2016
On Mon, Feb 15, 2016 at 07:04:20PM +0000, OpenSSL wrote:
> OpenSSL version 1.1.0 pre release 3 (alpha)
>
> OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now
> been made available. For details of changes and known issues see the
> release notes at:
>
> http://www.openssl.org/news/openssl-1.1.0-notes.html
It looks like something in pre release 3 has changed behavior in a way
that results in SSL_CTX_new(SSLv23_method()) failing in some cases. I've
never seen this with earlier releases. It looks like the error within
SSL_CTX_new() is in EVP_get_digestbyname("ssl3-md5") returning NULL
suddenly after a process has called SSL_CTX_new() and SSL_CTX_free()
multiple times.
Based on a git bisect between OpenSSL_1_1_0-pre2 and OpenSSL_1_1_0-pre3
tags, it looks like the different behavior was triggered by commit
7fa792d14d06cdaca18f225b1d2d8daf8ed24fd7 ('Auto init/de-init libssl').
That does add a call to
OPENSSL_INIT_ssl_library_start(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)
within SSL_CTX_new(), so I guess this is somehow messing up the
registered digests.
The program in question (wpa_supplicant) calls SSL_load_error_strings(),
SSL_library_init(), EVP_add_digest(EVP_sha256()),
EVP_add_cipher(EVP_rc2_40_cbc()), and PKCS12_PBE_add(), but commenting
these out did not change anything for the issue.
I could not find anything related to this in the release notes either.
Is this a bug somewhere in pre release 3 or is there supposed to be some
changes needed in applications using OpenSSL to work with this auto
init/de-init libssl change?
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list