[openssl-users] Openssl static build linked in DLL does not unload on win32

Jakob Bohm jb-openssl at wisemo.com
Thu Jan 5 11:17:36 UTC 2017

On 05/01/2017 11:53, Matt Caswell wrote:
> On 04/01/17 23:11, Dan Heinz wrote:
>> Using openssl 1.1.0c.
>> I have a test application that is a win32 console app that calls a win32
>> DLL which has the openssl libraries linked in statically.
>> The test applications uses late-binding to the DLL and calls LoadLibrary
>> for the DLL, one test function in the DLL, and then FreeLibrary on the DLL.
>> The test function in the DLL does the following:
>> RSA*rsa = NULL;
>> rsa = RSA_new();
>> RSA_free(rsa);
>> OPENSSL_thread_stop();
>> OPENSSL_cleanup();
>> return0;
>> When FreeLibrary is called on the DLL, dllmain in never called with any
>> messages.  A subsequent call to LoadLibrary also fails to call dllmain
>> and when the test function is called RSA_new() fails.  This leads me to
>> believe the DLL is never freed.
>> I have tried building openssl with and without no-threads with the same
>> results.  My build parameters are:
>> perl Configure *%TEMP_ARCHITECTURE%*
>> --prefix=*%RootPath_ThirdParty%*\*%OPENSSL_VERSION%* -DPURIFY
>> -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-threads no-asm
>> no-idea no-mdc2 no-rc5  no-ssl3 no-zlib no-comp
>> What am I missing?
> OpenSSL does its cleanup at *process* exit. Don't call OPENSSL_cleanup()
> explicitly - this is discouraged.
>  From this manpage:
> https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
> "Typically there should be no need to call this function directly as it
> is initiated automatically on application exit...<snip>...
> Once OPENSSL_cleanup() has been called the library cannot be reinitialised."
> This last sentence is the reason why RSA_new() will fail after you have
> previously called OPENSSL_cleanup().
> Because cleanup happens on process exit, OpenSSL will keep itself in
> memory until that time (otherwise crashes will occur because the cleanup
> routines have been unloaded).
> If you want to dynamically load and unload your DLL then don't
> statically link it to OpenSSL - otherwise OpenSSL will keep your DLL
> around until process exit too.
> Matt
Which is a horribly broken design by the OpenSSL team, especially if
the surrounding process is extremely long-running.  Otherwise, security
updates to OpenSSL will end up requiring system reboots to ensure that
all OpenSSL-using code actually runs the updated OpenSSL libraries.

Someone needs to go back to the drawing board and make OpenSSL
unloadable again.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list