[openssl-users] Correct way to free SSL_CTX* ?

J Decker d3ck0r at gmail.com
Mon Jan 29 03:20:02 UTC 2018 

On Sun, Jan 28, 2018 at 7:05 PM, pratyush parimal <
pratyush.parimal at gmail.com> wrote:

> Hi all,
>
> I'm trying to write an application in which I create an instance of
> SSL_CTX* using SSL_CTX_new(), and set the following things in it:
>
> (1) An EVP_PKEY* :
> 1a> created with PEM_read_bio_PrivateKey().
> 1b> set in the ctx using SSL_CTX_use_PrivateKey().
>
after setting key, free key

>
> (2) A number of X509* instances (cuz chained certs) :
> 2a> all created with PEM_read_bio_X509().
> 2b> set in the ctx using SSL_CTX_use_certificate() or
> SSL_CTX_add_extra_chain_cert().
>
after setting certs, free certs.

>
> At the end, I use SSL_CTX_free() to free up the ctx. According to the man
> page for SSL_CTX_free():
>
> "SSL_CTX_free() decrements the reference count of ctx, and removes the
> SSL_CTX object pointed to by ctx and frees up the allocated memory if the
> the reference count has reached 0.
>        It also calls the free()ing procedures for indirectly affected
> items, if applicable: the session cache, the list of ciphers, the list of
> Client CAs, the certificates and keys. "
>
> ... which tells me that freeing the SSL_CTX should free up its memory as
> well as the things I set inside of it (unless I'm interpreting it super
> wrong?) like " ... certificates and keys".
> The problem is, when run my application under valgrind, I keep seeing
> memory leaks for both steps (1a) and (2a).
>
> I tried to get rid of them, by using EVP_PKEY_free() after I'm done
> setting in step (1b). This works, and the leak for step (1a) goes away.
> When I try to do the same for step (2), i.e. calling X509_free() after
> every successful "set" call, I get a coredump (backtrace is attached:
> bt_1.txt), coming out of SSL_CTX_free, suggesting that I did something
> wrong.
>
>
> Which brings me to my question, does anyone know the correct way to free
> memory in SSL_CTX ? Or, what's wrong with my steps? The application doesn't
> even perform SSL yet, I'm just trying to create/destroy SSL_CTX objects
> without leaks first. Any help would be appreciated!
>
>
> Thanks in advance,
> -Pratyush.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180128/935de5ab/attachment.html>

More information about the openssl-users mailing list