[openssl-users] Searching for a memory leak in my OpenSSL usage
Hello, I got an application that establishes an TLS connection for communication. While the communication works, I run into a memory leak that originates from CRYPTO_malloc. I tried to search for proper OpenSSL shutdown and related issues, but my tries did not affect the leak. Here is the ASAN output: ``` ==2618==ERROR: LeakSanitizer: detected memory leaks Direct leak of 672 byte(s) in 12 object(s) allocated from: #0 0x7f14a2c9bec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0) #1 0x7f149fa4ce87 in CRYPTO_malloc (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0x62e87) Indirect leak of 15024 byte(s) in 228 object(s) allocated from: #0 0x7f14a2c9bec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0) #1 0x7f149fa4ce87 in CRYPTO_malloc (/lib/x86_64-linux-gnu/libcrypto.so.1.0.0+0x62e87) SUMMARY: AddressSanitizer: 15696 byte(s) leaked in 240 allocation(s). ``` My test establishes a connection between two threads handled by the same process. Both keep their separate SSL context. Just to be sure, that this is not a multithreading problem I tried passing locking and id functions to OpenSSL but that did change anything. Here are the steps to reproduce the problem when you have OpenSSL installed via the system packet manager. If you want to use a specific SSL installation, the configure script accepts a '--with-openssl=PATH' argument. ``` git clone https://github.com/actor-framework/actor-framework.git cd actor-framework git checkout develop ./configure --build-type=debug --with-address-sanitizer make ./build/bin/caf-test -s openssl_dynamic_remote_actor ``` The SSL session is created on top of an already established TCP connection using non-blocking socket. For initialization [1], we call create_ssl_context and SSL_new. This seems to be enough (?) and using Wireshark I can observe the handshake and so on. To clean up [2], we simply call SSL_free and SSL_CTX_free. Searching online, there are really many function for cleanup of different SSL parts, but that did not seem to do anything. Here are the functions, I tired (just to be sure, I tried them all in different configurations): ``` FIPS_mode_set(0); EVP_cleanup(); SSL_COMP_free_compression_methods(); COMP_zlib_cleanup(); ERR_remove_state(0); ERR_remove_thread_state(NULL); CONF_modules_free(); CONF_modules_unload(1); ERR_free_strings(); CRYPTO_cleanup_all_ex_data(); ``` The multi threading additions are not in the branch, but I basically followed the libcurl example [3] but with a bit more C++. My host system is an Ubuntu 17.04 with the '4.10.0-35-generic' kernel, GCC ‘6.3.0 (20170406)' and 'OpenSSL 1.0.2g 1 Mar 2016'. Thank you for your time! Best Regards Raphael [1] https://github.com/actor-framework/actor-framework/blob/develop/libcaf_openssl/src/session.cpp#L56 [2] https://github.com/actor-framework/actor-framework/blob/develop/libcaf_openssl/src/session.cpp#L67 [3] https://curl.haxx.se/libcurl/c/opensslthreadlock.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
RE: [squid-users] TR: [Bulk] Re: [squid-users] Certificate Validation problem due to Sha 256 message digest
Hi Henrik, Thanks for helping. I'm checking for calling OpenSSL_add_all_algorithms() in the sources. Concerning the ciphers, I don't know either, but all the certificates were issued using Openssl (and OpenCA 1.0.2) I chose to issue a CA certificate with 8192 bits length, may it become a problem ? The certificates are 2048 bits long, here is an example: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, O=x, OU=CA, CN=CA/emailaddress=rese...@x.fr Validity Not Before: Oct 29 09:54:00 2008 GMT Not After : Dec 7 09:54:00 2035 GMT Subject: C=FR, O=CAHPP, OU=Users, CN=72571934AA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b8:19:f7:08:a8:24:2e:f2:77:fc:cf:49:fb:2a: ... 58:50:87:52:2d:2b:43:98:f7:2f:99:6f:43:e7:be: 23:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of X X509v3 Subject Key Identifier: 34:03:0A:FB:37:C7:F0:59:16:1D:84:85:FC:18:BA:4C:31:1A:25:E8 X509v3 Authority Key Identifier: keyid:A6:30:F5:FA:A3:88:27:C5:D7:91:AE:91:D4:75:09:28:41:85:D4:C2 DirName:/C=FR/O=x/OU=CA/CN=CA/emailaddress=rese...@x.fr serial:F8:DA:53:89:72:B7:DC:B1 X509v3 Subject Alternative Name: email:rese...@x.fr X509v3 Issuer Alternative Name: email:rese...@x.fr Netscape CA Revocation Url: https://ldap.x.fr/openca2/pub/crl/cacrl.crl Netscape Revocation Url: https://ldap.x.fr/openca2/pub/crl/cacrl.crl X509v3 CRL Distribution Points: URI:https://ldap.x.fr/openca2/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 9d:c6:ef:97:97:4f:ae:23:4c:a2:46:12:83:aa:0a:c8:b9:4a: ... 38:42:35:1f:63:69:0b:ed:08:01:56:a7:14:aa:3f:5f May it help ? Raphael -Message d'origine- De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Envoyé : dimanche 14 décembre 2008 00:23 À : Raphael Cc : squid-us...@squid-cache.org Objet : Re: [squid-users] TR: [Bulk] Re: [squid-users] Certificate Validation problem due to Sha 256 message digest On Fri, 2008-12-12 at 14:53 +0100, Raphael wrote: I use Openssl 0.9.8i which manages to check the certificate. I am also able to get the sha256 digest of a file : openssl dgst -sha256 /root/openssl-0.9.8i.tar.gz is working and giving me the message digest. That's fine. But the digest algoritm also needs to be in the cipher suite profile. In the normal openssl cipher suite for SSL only SHA1 is included. I don't know if OpenSSL supports SHA2 in the cipher suites. It does not look like it from a quick glance (see openssl ciphers command). (0.9.8g) Regards Henrik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TR: certificate verification with sha256 and squid
Hi all, I am setting up a CA and a reverse proxy https with Squid filtering access to the backend web site. I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3) servers. I manage to verify the sha256 protected certificate on both computers using : openssl verify -CAFile /root/CA/cacert.pem -verbose /root/72571934AA.pem /root/72571934AA.pem: OK However when Squid checks client certificate it gives an error in log files : SSL unknown certificate error 7 in /C=FR/O=/OU=Users/CN=72571934AA clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest algorithm (1/-1) So I think Squid doesn't understand the sha256 message digest so it cannot verify the certificate ? When I enter the command : openssl list-message-digest-commands : md2 md4 md5 rmd160 sha sha1 There's no sha256 but I don't know if this is normal ? (sha256 would be in sha entry ?) when I do openssl speed I see a sha256 speed calculation. I tried with multiple client browser (linux and windows) that should handle sha256 (debian unstable and Windows XP SP3) I tested multiple versions of Squid and Openssl and the error still show up. I posted a mail on the Squid mailing list and they asked if I had compiled Squid with Openssl support. I did and I don't know where the problem is. I could use sha1 but the CA will be more secure with sha256, as it is designed to last until 2030 :) Could someone give me a hint as I am lost ? Thanks Raphael BUQUET
Re: Steps to port operssl to VxWorks?
VxWorks comes with its own version of OpenSSL at least for the targets used by the project I am working on. There is documentation as to how to port applications using OpenSSL from OpenSSL to the VxWorks SSL. Raphael Ackermann On 6/3/07, Allen Chen [EMAIL PROTECTED] wrote: Hello, I am a beginner of openssl project. I want to port openssl application to VxWorks, for ads860 or Pentiumn cpu. I use Windows XP platform to build the project, and prepare to port basic function of openssl to Pentiumn cpu, then test on VmWare workstation. What steps shall I follow to do this? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem compilindg.
Hi everyone. I'm having a problem while trying to compile the openssl. I'm running a linux box, that's a slackware 7.1, apache 1.3.14, openssl 0.9.6, and modssl 2.7.1. I had the same problem when I was installing on another machine, I found the solution it was very simple, just downloaded a new lib and it worked, but I can't find the webpage again. The problem comes when I try the 'make'. It comes a message like this. make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory '/usr/src/openssl-0.9.6/crypto' make: *** [all] Error 1 I asked help for slack's people, they tried to help but it didn't work, so I ask if anyone knows what should I do? Thanks... +++ + Raphael Travenssoli + + PUC-PR Network Team + +++ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
