Matt,

Below is the scenario.

1. Have server open a listen socket which always validates the client 
certificate and chain.
2. On server support ECDHE using callback. Ensure the EC_KEY passed to openssl 
from app is cleaned up by the app.
3. Connect client with certificates that server does not trust.
4. The connections from client to server fails

In course of time the app running the server has been leaking. Even after 
accounting for the EC_KEY passed by the server app to openssl we find there 
seems to be leak. Further investigation on the core dumps generated from the 
server app shows that it has the certificates from the client saved.

Hope this helps

Thanks
Darshan 

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Matt 
Caswell
Sent: Thursday, March 23, 2017 6:55 PM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] Memory leak in application when we use ECDH



On 23/03/17 13:19, Mody, Darshan (Darshan) wrote:
> Can you further elaborate?
> 
> What we did is to create a TLS connection and with invalid 
> certificates from the client and server on verification would reject 
> the certificate. The cipher negotiated was ECDHE cipher between client 
> and server.
> 
> This was done with load (multiple while 1 script trying to connect to 
> server using invalid certificates and in course of time the memory was 
> increasing).

Without being able to recreate the problem its going to be very 
difficult/impossible for us to fix it (assuming the problem is in OpenSSl 
itself). We would need some simple reproducer code that demonstrates the 
problem occurring.

Matt


> 
> Thanks Darshan
> 
> -----Original Message----- From: openssl-dev 
> [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Matt Caswell
> Sent: Thursday, March 23, 2017 4:09 PM To: openssl-dev@openssl.org
> Subject: Re: [openssl-dev] Memory leak in application when we use ECDH
> 
> 
> 
> On 23/03/17 10:13, Mody, Darshan (Darshan) wrote:
>> Matt,
>> 
>> Even after accounting for the EC_KEY we still observe some leak.
>> The leak started after we started using supporting EC with
>> callback SSL_set_tmp_ecdh_callback().
>> 
>> The core dump shows  the string data of the far-end certificates.
>> I cannot pin point  the code in openssl with this regard.
> 
> Are you able to create a simple reproducer demonstrating the problem 
> with the callback?
> 
> Matt
> 
-- 
openssl-dev mailing list
To unsubscribe: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=VbrRgO8PZIVkFM4PjeK7TEgKDHnbLu_QfbyqRhmvx8I&s=u0cR7sQf_Zz8FoCnrzgLc3drBSR8Ou1qDUyxV8z1xYQ&e=
 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to