curl-users
Incorrect OpenSSL usage and thread-safety issues in Curl_ossl_seed
Date: Wed, 29 Jul 2009 16:00:34 +0100
Hi,
We've found intermittent deadlocks and crashes in LibCurl 7.19.5 under
certain conditions on Windows. This is due to both LibCurl and OpenSSL
not being thread-safe in certain routines.
As far as LibCurl is concerned, the problem comes from Curl_ossl_seed
that contains a non-thread-safe static initialization. See ssluse.c,
line 270 to 276.
Further down the stack, ossl_seed() calls RAND_screen(). Now apparently
RAND_screen is not thread-safe either. See the discussion on OpenSSL
mailing list for more info.
http://marc.info/?l=openssl-dev&m=124838339302787&w=2
Note: We've currently worked around the RAND_screen() part by setting
HAVE_RAND_SCREEN to 0 in the config file.
Regards,
Tanguy
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-29