[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

OpenSSL initialization bug in Serf

From: Branko Čibej <brane_at_wandisco.com>
Date: Wed, 15 Jan 2014 14:46:05 +0100

Recently, I got reports about a Java-based GUI client using JavaHL
randomly crashing the VM. The problem was narrowed down to two RA
sessions to an https:// URL being opened simultaneously in two separate
threads (using different pools and different instances of callbacks
etc., so it's not wrong usage of our libraries).

I managed to reproduce this with a small C program (attached), and
narrowed this down further to the way Serf initializes the OpenSSL
library: it calls (or rather, called) SSL_library_init without ensuring
that this happened in a single-threaded context. This manifested as
SSL_CTX_new returning a NULL context, with the following error:

53003:error:140A90A1:SSL routines:func(169):reason(161):/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/ssl_lib.c:1540:

The problem is not platform-specific, and reproduces with serf-1.3.2.

Earlier today, Bert committed a fix for this to Serf trunk in r2263. I
rebuild Subversion and the test program with that, and the crash goes
away. I also confirmed the fix with a JavaHL test case.

IMO, the way the test program uses our libraries is valid. So I'd like
to request that Bert's fix is back-ported to serf-1.x and a new release
(serf-1.3.3?) made available.

-- Brane

-- 
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane_at_wandisco.com

Received on 2014-01-15 14:46:49 CET

This is an archived mail posted to the Subversion Dev mailing list.