[openssl-users] Manual Shutdown of OpenSSL 1.1.x library

Dan Heinz dheinz at softwarekey.com
Thu Apr 26 12:50:57 UTC 2018

We have not moved from OpenSSL 1.0.x to OpenSSL 1.1.x as we require the ability to manually shutdown the library.  We noticed in the latest release notes the following:
"Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and has caused some security issues including CVE-2008-1678 and CVE-2009-4355".

Is there now a way to manually shutdown the library?

To summarize: We have a DLL that statically links OpenSSL.  Our DLL gets loaded and unloaded multiple times by a process (not our process), and we need to release OpenSSL each time.  This was not possible with OpenSSL 1.1 as of September 2017 as the process's atexit is where it gets released which will not be called after a FreeLibrary() call on our DLL.  Has this been revisited?  If there now a way to manually release OpenSSL, or are there any plans to add this ability?

>From the previous post, something like this would address the issue: "I'm wondering whether an option to override the default behavior might be possible, e.g. an explicit call to OPENSSL_init_crypto() with something like an OPENSSL_INIT_NO_ATEXIT_CLEANUP option. The application would then have to call OPENSSL_cleanup() explicitly."
Original issue posted with discussion:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180426/18565236/attachment-0001.html>

More information about the openssl-users mailing list