This is a multi-part message in MIME format.

------=_NextPart_000_006B_01C5985B.0AD256D0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi All,

This is something that I think I've raised before but don't remember getting
resolution on.

OpenSSL maintains various global variables and structures, and there are
cleanup functions that must be used to properly release the resources when
finished. One example is the OID database managed by the
"add_all_algorithms" function and it's associated release function,
EVP_cleanup. All is good when the use of OpenSSL is fairly simple, such as
a single component using it for the lifetime of the process.

Where things get difficult/dangerous is when multiple seperate components in
the one process, with no real knowledge of each other, make use of OpenSSL,
and it's even worse if they dynamically load and unload OpenSSL using
dlopen/LoadLibrary. With large enterprise applications this is a common
situation since different teams develop components that the large product
makes us of, and with the increasing use of "plug-in" architectures the
dynamic loading/unloading is not uncommon.

There seems to be no way offered by the OpenSSL API for these components to
behave well. If they each do a dlopen -> dlsym -> ... -> EVP_cleanup ->
dlclose sequence then it seems that they will trample on each other. If
they take the extreme opposite and don't call EVP_cleanup then the process
will leak until it falls over.

This is a serious issue that I believe impacts the stability and therefore
limits the usefulness of OpenSSL in large enterprise applications. Does
anyone else have any thoughts on this?

Regards,

Steven


------=_NextPart_000_006B_01C5985B.0AD256D0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3Dus-ascii">


Hi=20
All,

class=3D015422708-03082005> 

This =
is something=20
that I think I've raised before but don't remember getting resolution=20
on.

class=3D015422708-03082005> 

class=3D015422708-03082005>OpenSSL maintains=20
various global variables and structures, and there are cleanup functions =
that=20
must be used to properly release the resources when finished.  One =
example=20
is the OID database managed by the "add_all_algorithms" function and =
it's=20
associated release function, EVP_cleanup.  All is good when the use =
of=20
OpenSSL is fairly simple, such as a single component using it for the =
lifetime=20
of the process.

class=3D015422708-03082005> 

Where =
things get=20
difficult/dangerous is when multiple seperate components in the one =
process,=20
with no real knowledge of each other, make use of OpenSSL, and =
it's=20
even worse if they dynamically load and unload OpenSSL using=20
dlopen/LoadLibrary.  With large enterprise applications this is a =
common=20
situation since different teams develop components that the large =
product makes=20
us of, and with the increasing use of "plug-in" architectures the =
dynamic=20
loading/unloading is not uncommon.

class=3D015422708-03082005> 

There =
seems to be no=20
way offered by the OpenSSL API for these components to behave =
well.  If=20
they each do a dlopen -> dlsym -> ... -> EVP_cleanup ->=20
dlclose sequence then it seems that they will trample on each =
other. =20
If they take the extreme opposite and don't call EVP_cleanup then the =
process=20
will leak until it falls over.

class=3D015422708-03082005> 

This =
is a serious=20
issue that I believe impacts the stability and therefore limits the =
usefulness=20
of OpenSSL in large enterprise applications.  Does anyone else have =
any=20
thoughts on this?

class=3D015422708-03082005> 

class=3D015422708-03082005>Regards,

class=3D015422708-03082005> 

class=3D015422708-03082005>Steven

class=3D015422708-03082005> 


------=_NextPart_000_006B_01C5985B.0AD256D0--

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org