# HG changeset patch # User Maxim Dounin <[email protected]> # Date 1765758980 -10800 # Mon Dec 15 03:36:20 2025 +0300 # Node ID b79ae9f9b554a2a8e1bdc9fde7f5730914b363ee # Parent cc23719251b0c98e556453e0f6f498111da7ec82 Tests: resolved ssl_store_pkcs11.t failures on Debian.
There is a race between SoftHSM destructor and OpenSSL's atexit() handler, which results in segmentation faults on process exit when using unpatched SoftHSM 2.6.1 (latest version at the time of writing): https://github.com/latchset/pkcs11-provider/issues/310 https://github.com/openssl/openssl/issues/22508 https://github.com/openssl/project/issues/1719 https://github.com/softhsm/SoftHSMv2/issues/780 In particular, segmentation faults were observed on Debian, which uses some patches for SoftHSM, but not a patch which prevents SoftHSM object destruction as seen on Ubuntu: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/2059340 https://git.launchpad.net/ubuntu/+source/softhsm2/commit/?id=1d7c9001dbb7b89d2f72b920e09353dd90895b43 This can be resolved with the "no-deinit" quirk in pkcs11-provider. diff --git a/ssl_store_pkcs11.t b/ssl_store_pkcs11.t --- a/ssl_store_pkcs11.t +++ b/ssl_store_pkcs11.t @@ -125,7 +125,17 @@ EOF # pkcs11-module-load-behavior = early # pkcs11-module-quirks = no-operation-state # -# No quirks are needed with pkcs11-provider 1.0+. +# Further, there is a race between SoftHSM destructor and OpenSSL's atexit() +# handler, which results in segmentation faults on process exit when using +# unpatched SoftHSM 2.6.1 (latest version at the time of writing) with +# pkcs11-provider: +# +# https://github.com/latchset/pkcs11-provider/issues/310 +# https://github.com/openssl/openssl/issues/22508 +# https://github.com/openssl/project/issues/1719 +# https://github.com/softhsm/SoftHSMv2/issues/780 +# +# This can be resolved with the "no-deinit" quirk. # Libraries on various systems: FreeBSD, Alpine, Debian, Fedora @@ -164,7 +174,7 @@ module = $provider pkcs11-module-path = $softhsm pkcs11-module-token-pin = 1234 pkcs11-module-load-behavior = early -pkcs11-module-quirks = no-operation-state +pkcs11-module-quirks = no-operation-state no-deinit activate = 1 [ req ]
