[openssl-users] Openssl static build linked in DLL does not unload on win32
jb-openssl at wisemo.com
Thu Jan 5 11:17:36 UTC 2017
On 05/01/2017 11:53, Matt Caswell wrote:
> On 04/01/17 23:11, Dan Heinz wrote:
>> Using openssl 1.1.0c.
>> I have a test application that is a win32 console app that calls a win32
>> DLL which has the openssl libraries linked in statically.
>> The test applications uses late-binding to the DLL and calls LoadLibrary
>> for the DLL, one test function in the DLL, and then FreeLibrary on the DLL.
>> The test function in the DLL does the following:
>> RSA*rsa = NULL;
>> rsa = RSA_new();
>> When FreeLibrary is called on the DLL, dllmain in never called with any
>> messages. A subsequent call to LoadLibrary also fails to call dllmain
>> and when the test function is called RSA_new() fails. This leads me to
>> believe the DLL is never freed.
>> I have tried building openssl with and without no-threads with the same
>> results. My build parameters are:
>> perl Configure *%TEMP_ARCHITECTURE%*
>> --prefix=*%RootPath_ThirdParty%*\*%OPENSSL_VERSION%* -DPURIFY
>> -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-threads no-asm
>> no-idea no-mdc2 no-rc5 no-ssl3 no-zlib no-comp
>> What am I missing?
> OpenSSL does its cleanup at *process* exit. Don't call OPENSSL_cleanup()
> explicitly - this is discouraged.
> From this manpage:
> "Typically there should be no need to call this function directly as it
> is initiated automatically on application exit...<snip>...
> Once OPENSSL_cleanup() has been called the library cannot be reinitialised."
> This last sentence is the reason why RSA_new() will fail after you have
> previously called OPENSSL_cleanup().
> Because cleanup happens on process exit, OpenSSL will keep itself in
> memory until that time (otherwise crashes will occur because the cleanup
> routines have been unloaded).
> If you want to dynamically load and unload your DLL then don't
> statically link it to OpenSSL - otherwise OpenSSL will keep your DLL
> around until process exit too.
Which is a horribly broken design by the OpenSSL team, especially if
the surrounding process is extremely long-running. Otherwise, security
updates to OpenSSL will end up requiring system reboots to ensure that
all OpenSSL-using code actually runs the updated OpenSSL libraries.
Someone needs to go back to the drawing board and make OpenSSL
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users