[openssl-dev] OpenSSL version 1.1.0 pre release 3 published
Matt Caswell
matt at openssl.org
Mon Feb 15 21:20:27 UTC 2016
On 15/02/16 20:52, Jouni Malinen wrote:
> On Mon, Feb 15, 2016 at 07:04:20PM +0000, OpenSSL wrote:
>> OpenSSL version 1.1.0 pre release 3 (alpha)
>>
>> OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now
>> been made available. For details of changes and known issues see the
>> release notes at:
>>
>> http://www.openssl.org/news/openssl-1.1.0-notes.html
>
> It looks like something in pre release 3 has changed behavior in a way
> that results in SSL_CTX_new(SSLv23_method()) failing in some cases. I've
> never seen this with earlier releases. It looks like the error within
> SSL_CTX_new() is in EVP_get_digestbyname("ssl3-md5") returning NULL
> suddenly after a process has called SSL_CTX_new() and SSL_CTX_free()
> multiple times.
>
> Based on a git bisect between OpenSSL_1_1_0-pre2 and OpenSSL_1_1_0-pre3
> tags, it looks like the different behavior was triggered by commit
> 7fa792d14d06cdaca18f225b1d2d8daf8ed24fd7 ('Auto init/de-init libssl').
> That does add a call to
> OPENSSL_INIT_ssl_library_start(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)
> within SSL_CTX_new(), so I guess this is somehow messing up the
> registered digests.
>
> The program in question (wpa_supplicant) calls SSL_load_error_strings(),
> SSL_library_init(), EVP_add_digest(EVP_sha256()),
> EVP_add_cipher(EVP_rc2_40_cbc()), and PKCS12_PBE_add(), but commenting
> these out did not change anything for the issue.
>
> I could not find anything related to this in the release notes either.
>
> Is this a bug somewhere in pre release 3 or is there supposed to be some
> changes needed in applications using OpenSSL to work with this auto
> init/de-init libssl change?
>
>
Do you call EVP_cleanup() at any point between creating the SSL_CTX objects?
Matt
More information about the openssl-dev
mailing list