[openssl-dev] Memory leak in application when we use ECDH
Mody, Darshan (Darshan)
darshanmody at avaya.com
Thu Mar 23 13:47:10 UTC 2017
Below is the scenario.
1. Have server open a listen socket which always validates the client certificate and chain.
2. On server support ECDHE using callback. Ensure the EC_KEY passed to openssl from app is cleaned up by the app.
3. Connect client with certificates that server does not trust.
4. The connections from client to server fails
In course of time the app running the server has been leaking. Even after accounting for the EC_KEY passed by the server app to openssl we find there seems to be leak. Further investigation on the core dumps generated from the server app shows that it has the certificates from the client saved.
Hope this helps
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Matt Caswell
Sent: Thursday, March 23, 2017 6:55 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Memory leak in application when we use ECDH
On 23/03/17 13:19, Mody, Darshan (Darshan) wrote:
> Can you further elaborate?
> What we did is to create a TLS connection and with invalid
> certificates from the client and server on verification would reject
> the certificate. The cipher negotiated was ECDHE cipher between client
> and server.
> This was done with load (multiple while 1 script trying to connect to
> server using invalid certificates and in course of time the memory was
Without being able to recreate the problem its going to be very difficult/impossible for us to fix it (assuming the problem is in OpenSSl itself). We would need some simple reproducer code that demonstrates the problem occurring.
> Thanks Darshan
> -----Original Message----- From: openssl-dev
> [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Matt Caswell
> Sent: Thursday, March 23, 2017 4:09 PM To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] Memory leak in application when we use ECDH
> On 23/03/17 10:13, Mody, Darshan (Darshan) wrote:
>> Even after accounting for the EC_KEY we still observe some leak.
>> The leak started after we started using supporting EC with
>> callback SSL_set_tmp_ecdh_callback().
>> The core dump shows the string data of the far-end certificates.
>> I cannot pin point the code in openssl with this regard.
> Are you able to create a simple reproducer demonstrating the problem
> with the callback?
openssl-dev mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=VbrRgO8PZIVkFM4PjeK7TEgKDHnbLu_QfbyqRhmvx8I&s=u0cR7sQf_Zz8FoCnrzgLc3drBSR8Ou1qDUyxV8z1xYQ&e=
More information about the openssl-dev