On a disconnect check the state of the SSL data structure and call
SSL_free if it is not null.
if (*sslptr != NULL) {
SSL_free (*sslptr);
*sslptr = NULL;
}
Though as you say it is a certificate issue, then perhaps you need to
look at
SSL_CTX_free(*sslctxptr)
Look at the man page for this. Perhaps you are reusing an SSL context
structure. We don't need to call this in our disconnect code, but
testing code may reuse a structure that running code doesn't.
If these don't work for you, then maybe you should look at putting in
some diagnostic printfs to look for where the dirty data is being kept,
you might be reusing something like a DH or X509 structure and you may
need to call a free or cleanup function for that particular structure.
I don't know about the callback function, but I like your guess.
Good Luck,
Jeremy
Nou Dadoun wrote:
Hi, I’ve looked at the archives and didn’t see any apropos discussions
so I thought I’d go straight to the list:
We use the openssl & crypto libraries in several places in our product
both in fips and non-fips modes.
We have a set of unit tests to exercise various portions of our code
to ensure that our implementations using these tools work the way that
they’re supposed to.
I’ve run into an unusual problem, we have a set of crypto
(encrypt/decrypt) tests and a separate set of certificate tests (e.g.
retrieve a certificate and its CA and do a certificate verification).
If I run the certificate tests first and then the crypto tests, all
the tests pass and everything works great.
If I run the crypto tests first and then the certificate test, the
verification fails due to a “signature” failure. This implies to me
that the crypto tests are leaving something in the openssl/crypto
machinery in a funky state which breaks the subsequent certificate
signature computation.
A couple of questions:
What can I do to completely clean the openssl/crypto state to ensure
that this doesn’t happen? I’ve added:
CRYPTO_cleanup_all_ex_data();
ENGINE_cleanup();
But this appears to be inadequate (I suspect necessary but
insufficient), any suggestions?
(I’ve reordered the tests so that they’re passing now but I’d like to
avoid this hack if I can.)
Second question, I added a verification callback routine, e.g.
staticint verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
{
printf("verify_callback Certificate Verification Error: %s\n",
X509_verify_cert_error_string(stor->error));
}
else
{
printf("verify_callback Certificate Verification Success\n");
}
return ok;
}
I’ve put a breakpoint in it and noticed that when verifying a
certificate, this callback is called twice,
In the successful order above (cert then crypto tests) both calls have
ok == 1,
In the unsuccessful order (crypto then cert), the first call is 1 and
the second is 0 with a “signature error” reported.
Why is it called twice and what’s the difference? (I suspect the
second is signature checking and the first is everything else but I’m
curious).
Thanks in advance … N
---
Nou Dadoun
ndadoun@teradici.com_
_604-628-1215
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
