details: http://freenginx.org/hg/nginx-tests/rev/b79ae9f9b554 branches: changeset: 2036:b79ae9f9b554 user: Maxim Dounin <[email protected]> date: Mon Dec 15 03:36:20 2025 +0300 description: Tests: resolved ssl_store_pkcs11.t failures on Debian.
There is a race between SoftHSM destructor and OpenSSL's atexit() handler, which results in segmentation faults on process exit when using unpatched SoftHSM 2.6.1 (latest version at the time of writing): https://github.com/latchset/pkcs11-provider/issues/310 https://github.com/openssl/openssl/issues/22508 https://github.com/openssl/project/issues/1719 https://github.com/softhsm/SoftHSMv2/issues/780 In particular, segmentation faults were observed on Debian, which uses some patches for SoftHSM, but not a patch which prevents SoftHSM object destruction as seen on Ubuntu: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/2059340 https://git.launchpad.net/ubuntu/+source/softhsm2/commit/?id=1d7c9001dbb7b89d2f72b920e09353dd90895b43 This can be resolved with the "no-deinit" quirk in pkcs11-provider. diffstat: ssl_store_pkcs11.t | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) diffs (31 lines): diff --git a/ssl_store_pkcs11.t b/ssl_store_pkcs11.t --- a/ssl_store_pkcs11.t +++ b/ssl_store_pkcs11.t @@ -125,7 +125,17 @@ EOF # pkcs11-module-load-behavior = early # pkcs11-module-quirks = no-operation-state # -# No quirks are needed with pkcs11-provider 1.0+. +# Further, there is a race between SoftHSM destructor and OpenSSL's atexit() +# handler, which results in segmentation faults on process exit when using +# unpatched SoftHSM 2.6.1 (latest version at the time of writing) with +# pkcs11-provider: +# +# https://github.com/latchset/pkcs11-provider/issues/310 +# https://github.com/openssl/openssl/issues/22508 +# https://github.com/openssl/project/issues/1719 +# https://github.com/softhsm/SoftHSMv2/issues/780 +# +# This can be resolved with the "no-deinit" quirk. # Libraries on various systems: FreeBSD, Alpine, Debian, Fedora @@ -164,7 +174,7 @@ module = $provider pkcs11-module-path = $softhsm pkcs11-module-token-pin = 1234 pkcs11-module-load-behavior = early -pkcs11-module-quirks = no-operation-state +pkcs11-module-quirks = no-operation-state no-deinit activate = 1 [ req ]
