It’s a double-free…. we need to NULL local_dh_1024 after the free because your code has the following destructor (1.5 doesn’t):
__attribute__((destructor)) static void __ssl_sock_deinit(void) { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME lru64_destroy(ssl_ctx_lru_tree); #endif #ifndef OPENSSL_NO_DH if (local_dh_1024) { DH_free(local_dh_1024); local_dh_1024 = NULL; } So I was able to reproduce it by adding the destructor and NULLing the var after freeing fixes it. Also, it’s not just nginx that does the freeing - haproxy also does that in different code paths (loading it from file): /* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1 if an error occured, and 0 if parameter not found. */ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) { …. …. end: if (dh) DH_free(dh); return ret; } so I think the DH_free is indeed correct since it will leak otherwise. however, sometime along the way the destructor was added which will double-free the global variable. once again, apologize for the bug. thanks, roberto > On Jul 12, 2016, at 2:55 PM, Roberto Guimaraes <rguimar...@fastly.com> wrote: > > o