Menu

#65 Crashes due to OpenSSL threading callbacks if interpreter is deleted

open
nobody
None
5
2017-01-19
2016-10-05
Will Storey
No

Hello,

I recently ran into a case where my application would crash when using this library (1.6.7). I determined it to be related to the addition of CRYPTO_set_locking_callback() and CRYPTO_set_id_callback(). Specifically, when I deleted the Tcl interpreter (but my application remained running), OpenSSL still called the callback functions, but they were no longer available.

Here are the general steps to reproduce this behaviour:

  • Have an application with an OpenSSL SSL/TLS connection
  • Create a Tcl interpreter
  • Load this package
  • Delete the Tcl interpreter
  • Try to interact with the SSL/TLS connection

I have attached a patch that resolves the problem. It works by registering another callback for when the Tcl interpreter is deleted. At that point, we set the OpenSSL callbacks to what they were prior to this library changing them.

I wrote a post about this issue and my investigation if you would like additional background:

https://blog.summercat.com/tcl-tls-openssl-threads-and-irssi-crashing.html

I am not certain that the patch resolves all possible issues with using these OpenSSL callbacks however. For example, consider the case where we have an application that does the following:

  • Loads this library (leading to us setting the callbacks)
  • Application then sets its own OpenSSL callbacks (unaware they were set)

At that point, can we guarantee the new callbacks are sufficient? Also, if we then throw into the mix unloading this library, we're in the situation where there are no callbacks set at all.

Perhaps this is a far out possibility. It makes me wonder whether it is appropriate for this library to be setting these at all though. I would be very interested in your thoughts on the matter as I am by no means an expert here.

Thank you for your time.

1 Attachments
tcl-tls-openssl-callbacks.diff

Discussion

  • Jeff Lawson

    Jeff Lawson - 2017-01-17

    Can you test out the new TclTLS 1.7.11 that is now officially hosted at http://core.tcl.tk/tcltls/index ? It incorporates a number of improvements to modernize and may already incorporate your fix. If not, then please re-submit your bug report against that new repo.

     

  • Will Storey

    Will Storey - 2017-01-19

    Thanks for letting me know! I've tested it and found it is still a problem. I will post on the other site you mentioned as well. I've attached an updated diff here as well (against tcl-tls 1.7.11).

    I found it happened on Debian Jessie with 1.7.11 and 1.6.7, but not on Debian Stretch. I believe the newer openssl may be the difference.

    By the way, will this sourceforge site be updated to mention/redirect people to the new host?

     
    tcl-tls-openssl-callbacks-1.7.11.diff

  • Will Storey

    Will Storey - 2017-01-19

    Here's the ticket at the new site: http://core.tcl.tk/tcltls/tktview?name=90be78af8b

     
MongoDB Logo MongoDB