Hi RĂ©mi, sorry for the slow reply :-(
On Sat, Jul 02, 2016 at 04:47:57PM +0200, Remi Gacogne wrote: > Hi Willy, Roberto, Emeric, > > On 06/30/2016 08:12 PM, Willy Tarreau wrote: > > I checked the man page for SSL_CTX_set_tmp_dh() and it does not mention > > anything regarding the need to free the param or not. And the example > > that comes with it doesn't involve a call to DH_free(). > > It's a mess, I recall having the same issue with a previous version of > the DH code. > > > Thus for now I'd rather leave valgrind unhappy until someone finds what > > exactly needs to be done to make it happy and not cause this issue. > > I've attached what I think is the right fix, simply checking if > local_dh_2014 is NULL before calling ssl_get_dh_1024(), thus only > generating it at most one time. It's then freed in __ssl_sock_deinit() > so valgrind should be happy. Interesting. So my understanding is that we never ought to free what is passed to SSL_CTX_set_tmp_dh() and that this first attempt only managed to shut valgrind down. Note that it's not the first time we add bugs to make valgrind happy... I'm willing to merge this one into 1.7 if Emeric doesn't object and wait a bit before backporting it into a future 1.6 (since I really don't care about valgrind's feelings in stable branches). Thanks! willy
