As noticed by jturner, there is a leak with libtls seen when you connect to a server multiple times.
By looking at the contents of coredumps I worked out that it wasn't freeing the server cert, and tracked it to tls_connect_fds(). OK? Index: tls_client.c =================================================================== RCS file: /cvs/src/lib/libtls/tls_client.c,v retrieving revision 1.15 diff -u -p -u -2 -4 -r1.15 tls_client.c --- tls_client.c 11 Feb 2015 07:01:10 -0000 1.15 +++ tls_client.c 21 Mar 2015 15:03:46 -0000 @@ -246,33 +246,34 @@ tls_connect_fds(struct tls *ctx, int fd_ connecting: if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { err = tls_ssl_error(ctx, ret, "connect"); if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { ctx->flags |= TLS_CONNECTING; return (err); } goto err; } ctx->flags &= ~TLS_CONNECTING; if (ctx->config->verify_name) { cert = SSL_get_peer_certificate(ctx->ssl_conn); if (cert == NULL) { tls_set_error(ctx, "no server certificate"); goto err; } if ((ret = tls_check_servername(ctx, cert, servername)) != 0) { if (ret != -2) tls_set_error(ctx, "name `%s' not present in" " server certificate", servername); goto err; } + X509_free(cert); } return (0); err: X509_free(cert); return (-1); }