[openssl-users] 1.1.1a: crash in CRYPTO_THREAD_lock_free
Claus Assmann
ca+ssl-users at esmtp.org
Wed Nov 28 23:31:17 UTC 2018
Thanks for the reply, it helped me adding some more debugging
statements to various places to track down the problem:
it is due to a change in TLS session handling in TLSv1.3.
It seems there are multiple SSL_SESSION structures for a single SSL
connection (SMTP session). The callback installed using
SSL_CTX_sess_set_new_cb() was called twice for the same SSL connection
and the code was written to handle only one callback per connection.
This resulted in a "use after free" situation. Sorry for the false
alarm.
More information about the openssl-users
mailing list