curl_easy_perform() crash (more info)

curl 7.65.3
openssl 1.1.1b

I'm still hunting for the crash bug in my application and found
something interesting: "old SSL session ID is stale, removing" (marked
"<-- this row") is reported twice about the same time in the verbose
curl output below.

Are 2 threads trying to remove the same session without locking? As far
as I understand from openssl.c that should be prevented by the call to
Curl_ssl_sessionid_lock(conn)?

I setup a share which I initialize once with:
CURLSH *sslShare;
sslShare = curl_share_init();
curl_share_setopt(sslShare, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);

and then different threads call a function which in turn set it like
this before calling curl_easy_perform:
CURL *curl = curl_easy_init();
(...)
curl_easy_setopt(curl, CURLOPT_SHARE,             sslShare);
res = curl_easy_perform(curl);

Should that be enough for session share protection, or do I also have to
configure own locking similar to this:
curl_share_setopt(sslShare, CURLSHOPT_LOCKFUNC, a_lock_cb);
curl_share_setopt(sslShare, CURLSHOPT_UNLOCKFUNC, an_unlock_cb);

?

Thanks,
/Daniel

Verbose curl output:

* STATE: PERFORM => DONE handle 0x623000220508; line 1933 (connection #0)
* multi_done
* Connection #0 to host www.nordnet.se left intact
* Expire cleared (transfer 0x623000220508)
* * old SSL session ID is stale, removing          <------------ this row
old SSL session ID is stale, removing <------------this row
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=SE;
serialNumber=516406-0021; C=SE; L=Stockholm; O=Nordnet Bank AB;
CN=www.nordnet.se
*  start date: May 28 00:00:00 2019 GMT
*  expire date: Aug 13 12:00:00 2020 GMT
*  subjectAltName: host "www.nordnet.se" matched cert's "www.nordnet.se"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2
Extended Validation Server CA
*  SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x62300024c108; line 1566 (connection #0)
* Server auth using Basic with user [removed]
> GET /next/2/news/1001099919 HTTP/1.1

Stack at crash:

0x7ffff72c2605
0x7ffff72c0968
ASN1_item_free() at 0x7ffff72c0a85
OPENSSL_sk_pop_free() at 0x7ffff73fc4f0
SSL_SESSION_free() at 0x7ffff752c3b6
Curl_ossl_session_free() at openssl.c:1,399 0x5555557829af
Curl_ssl_kill_session() at vtls.c:374 0x55555573b6d4
Curl_ssl_delsessionid() at vtls.c:398 0x55555573b7b0
ossl_new_session_cb() at openssl.c:2,268 0x55555578406e
0x7ffff752582a
0x7ffff7544153
0x7ffff753997e
SSL_do_handshake() at 0x7ffff75259c4
ossl_connect_step2() at openssl.c:2,798 0x555555785c78
ossl_connect_common() at openssl.c:3,608 0x5555557885d8
Curl_ossl_connect_nonblocking() at openssl.c:3,642 0x555555788706
Curl_ssl_connect_nonblocking() at vtls.c:275 0x55555573b1c4
https_connecting() at http.c:1,559 0x5555557469f7
Curl_protocol_connecting() at url.c:1,477 0x555555750912
multi_runsingle() at multi.c:1,563 0x55555571f9af
curl_multi_perform() at multi.c:2,090 0x555555720b16
easy_transfer() at easy.c:624 0x5555557181a7
easy_perform() at easy.c:718 0x555555718426
curl_easy_perform() at easy.c:737 0x55555571848d
nordnetApi::query() at nordnetApi.cpp:255 0x5555556a1019
nordnetApi::newsItem() at basic_string.h:656 0x5555556b27ac
feedProcessor::run() at feedProcessor.cpp:1,383 0x55555566e7bc
runThread() at Thread.cpp:25 0x55555558c5e4
start_thread() at pthread_create.c:486 0x7ffff7207182
clone() at clone.S:95 0x7ffff6cd5b1f
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-10