It looks to me like SSL_CTX_flush_sessions() must be always called just
before SSL_CTX_free() if session caching callback functions are installed.
There appears to be a bug in SSL_CTX_free():
...
CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
if (a->sessions != NULL)
{
SSL_CTX_flush_sessions(a,0);
lh_free(a->sessions);
}
...
When session caching is enabled, SSL_CTX_flush_sessions() might invoke the
callback function that's installed by SSL_CTX_sess_set_remove_cb().
This callback function might reasonably expect to be able to use
SSL_CTX_get_app_data(), and get back something it knows what to do with.
Since CRYPTO_free_ex_data appears to blow this data away, depending on
your software platform, your callback function will suddenly be getting
crap from SSL_CTX_get_app_data(), instead of what it was expecting...
This looks like a bug to me. Until someone fixes is, the solution is to
manually call SSL_CTX_flush_sessions before SSL_CTX_free, if session
callback functions are installed...
--
Sam
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
