On Tue, Jul 12, 2016 at 02:11:39PM -0700, Roberto Guimaraes wrote: > My apologies and thanks for the heads up! I will revert it on my end as well. > Weird, nginx seems to have the same unconditional DH_free in there.
I had no problem with this on my laptop with openssl 1.0.1 and the few tests we made on a few distros caused no problem either. However in addition to the definitive crashes we're seeing on 1.0.2, we got reports of crashes on 1.0.1 on centos (which might possibly backport a few extra fixes or improvements from 1.0.2). So all I'd say is that in its current form it doesn't look safe for the long term to use even on your distro. Also regarding the fact that Nginx does the same, maybe it allocates its equivalent of the local_dh1024 differently and is always allowed to free it. You may be interested in testing RĂ©mi's fix instead (after you revert yours) and compare. His explanation makes a lot of sense to me (with my very limited understanding of openssl). I don't want to backport it *now* into 1.6 to avoid emitting a new broken version as a fix for the existing one but once we're confident enough in the fix I'm fine with doing it. Regards, Willy