memory still reachable post calling SSL_CTX_free
Hi, I need one clarification on routine SSL_CTX_free(). I see the memory is not freed even after calling this SSL_CTX_free(). I have a simple test program, which just does SSL_CTX_new() and SSL_CTX_free(). #include #include int main() { const SSL_METHOD *method; SSL_CTX *ctx = NULL; OPENSSL_init_ssl(0, NULL); method = TLS_method(); ctx = SSL_CTX_new(method); if ( ctx == NULL ) { return(-1); } SSL_CTX_free(ctx); ctx=NULL; sleep(300); } If the program is terminated after it enters the sleep, I am seeing memory is still reachable in valgrind. Here is output from valgrind, ==443000== 10,224 bytes in 426 blocks are still reachable in loss record 593 of 594 ==443000==at 0x4C34F0B: malloc (vg_replace_malloc.c:307) ==443000==by 0x525D775: OPENSSL_LH_insert (in /usr/lib64/libcrypto.so.1.1.1g) ==443000==by 0x522DDB2: ??? (in /usr/lib64/libcrypto.so.1.1.1g) ==443000==by 0x522E1CF: ERR_load_strings_const (in /usr/lib64/libcrypto.so.1.1.1g) ==443000==by 0x4E79083: ERR_load_SSL_strings (in /usr/lib64/libssl.so.1.1.1g) ==443000==by 0x4E790BC: ??? (in /usr/lib64/libssl.so.1.1.1g) ==443000==by 0x5DABCD6: __pthread_once_slow (in /usr/lib64/libpthread-2.28.so) ==443000==by 0x52C4ADC: CRYPTO_THREAD_run_once (in /usr/lib64/libcrypto.so.1.1.1g) ==443000==by 0x4E794FA: OPENSSL_init_ssl (in /usr/lib64/libssl.so.1.1.1g) ==443000==by 0x4E7D371: SSL_CTX_new (in /usr/lib64/libssl.so.1.1.1g) ==443000==by 0x400749: main (in /home/hari/a.out) SSL_CTX_free is already called before sleep(), but memory is still hanging around. Is there something I am missing here? Do I need to follow some other steps ? This memory leak is impacting our long term running processes, which allocate and free context. Any pointers will be very helpful. Thanks, Hari.
RE: SSL_connect fails on systemd socket
Hi Matt, I got it working through systemd. My server program needed some modifications to properly respond to SSL_connect. Thanks for your assistance. Regards, Hari. -Original Message- From: Matt Caswell [mailto:m...@openssl.org] Sent: Wednesday, January 29, 2020 11:14 PM To: Tiwari, Hari Sahaya ; openssl-users@openssl.org Subject: Re: SSL_connect fails on systemd socket On 29/01/2020 17:28, Tiwari, Hari Sahaya wrote: > Yes, client is also on same version 1.0.2 In this case SSL > handshake(SSL_connect & SSL_accept) is done through systemd socket/service, > which is failing. > Any references around it will be very helpful. What kind of BIO are you using for reading the data in the server? Is it possible to get a wireshark trace of the failing handshake? Matt > > Regards, > Hari. > > -Original Message- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Matt Caswell > Sent: Tuesday, January 28, 2020 8:27 PM > To: openssl-users@openssl.org > Subject: Re: SSL_connect fails on systemd socket > > > > On 28/01/2020 14:03, Tiwari, Hari Sahaya wrote: >> 140691172779952:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong >> version number:s3_pkt.c:365: > > You don't say, but from the reference to s3_pkt.c above I assume you > are using OpenSSL 1.0.2 > > This error means that the server has received a record that has the wrong > protocol version number in it. It has progressed far enough along the line > that it has already processed the initial ClientHello from the client and is > now trying to read some later record from the client. > Because it has already processed the initial ClientHello we have already > determined which protocol version is in use, so all records should use that > protocol version in their headers. In the case of this error we've received > something other than that version. > > This usually occurs because of some corruption of the data. > > Are you also using OpenSSL 1.0.2 on the client? > > Matt > >> >> Here client is able to do normal connect, post that SSL_connect fails. >> >> >> >> This client server program works well outside of systemd. >> >> >> >> Do I need to add some extra steps to get this working? >> >> Any help or reference would be appreciated. >> >> >> >> Thanks & Regards, >> >> >> >> >> >
RE: SSL_connect fails on systemd socket
Yes, client is also on same version 1.0.2 In this case SSL handshake(SSL_connect & SSL_accept) is done through systemd socket/service, which is failing. Any references around it will be very helpful. Regards, Hari. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Matt Caswell Sent: Tuesday, January 28, 2020 8:27 PM To: openssl-users@openssl.org Subject: Re: SSL_connect fails on systemd socket On 28/01/2020 14:03, Tiwari, Hari Sahaya wrote: > 140691172779952:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:365: You don't say, but from the reference to s3_pkt.c above I assume you are using OpenSSL 1.0.2 This error means that the server has received a record that has the wrong protocol version number in it. It has progressed far enough along the line that it has already processed the initial ClientHello from the client and is now trying to read some later record from the client. Because it has already processed the initial ClientHello we have already determined which protocol version is in use, so all records should use that protocol version in their headers. In the case of this error we've received something other than that version. This usually occurs because of some corruption of the data. Are you also using OpenSSL 1.0.2 on the client? Matt > > Here client is able to do normal connect, post that SSL_connect fails. > > > > This client server program works well outside of systemd. > > > > Do I need to add some extra steps to get this working? > > Any help or reference would be appreciated. > > > > Thanks & Regards, > > > > >
SSL_connect fails on systemd socket
Hi, I am trying to implement a client server program over SSL through systemd. Here I have a TCP systemd socket (listening on a predefined port) and its associated service. systemd socket file:- # cat /usr/lib/systemd/system/test_ssl.socket [Unit] Description=Test socket [Socket] ListenStream=2000 Accept=true MaxConnections=900 [Install] WantedBy=sockets.target systemd service file:- # cat /usr/lib/systemd/system/test_ssl@.service [Unit] Description= Test Service Requires=test_ssl.socket [Service] ExecStart=/home/SSL/server StandardInput=socket KillMode=process [Install] WantedBy=multi-user.target The service file invoke the binary /home/SSL/server. Here is it a very simple client server program, where 1. Server binds and listens on a port number. 2. Client first connects to server with normal connect (server will do accept) 3. Once it gets the fd, client does the SSL_connect over same connection. (server will do SSL_accept) 4. After that it will be SSL_read & SSL_write. Once, I start the systemd socket I can see the systemd starts listening on port 2000. # systemctl start test_ssl.socket # netstat -an | grep 2000 tcp6 0 0 :::2000 :::*LISTEN Post than when executing client, SSL_conect fails. # ./client localhost 2000 OpenConnection succedeed. << normal connect succeeds. SSL_connect failed. 140691172779952:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: Here client is able to do normal connect, post that SSL_connect fails. This client server program works well outside of systemd. Do I need to add some extra steps to get this working? Any help or reference would be appreciated. Thanks & Regards,