[PATCH] Tests: resolved ssl_store_pkcs11.t failures on Debian
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 15 00:36:39 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1765758980 -10800
# Mon Dec 15 03:36:20 2025 +0300
# Node ID b79ae9f9b554a2a8e1bdc9fde7f5730914b363ee
# Parent cc23719251b0c98e556453e0f6f498111da7ec82
Tests: resolved ssl_store_pkcs11.t failures on Debian.
There is a race between SoftHSM destructor and OpenSSL's atexit() handler,
which results in segmentation faults on process exit when using unpatched
SoftHSM 2.6.1 (latest version at the time of writing):
https://github.com/latchset/pkcs11-provider/issues/310
https://github.com/openssl/openssl/issues/22508
https://github.com/openssl/project/issues/1719
https://github.com/softhsm/SoftHSMv2/issues/780
In particular, segmentation faults were observed on Debian, which uses
some patches for SoftHSM, but not a patch which prevents SoftHSM object
destruction as seen on Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/2059340
https://git.launchpad.net/ubuntu/+source/softhsm2/commit/?id=1d7c9001dbb7b89d2f72b920e09353dd90895b43
This can be resolved with the "no-deinit" quirk in pkcs11-provider.
diff --git a/ssl_store_pkcs11.t b/ssl_store_pkcs11.t
--- a/ssl_store_pkcs11.t
+++ b/ssl_store_pkcs11.t
@@ -125,7 +125,17 @@ EOF
# pkcs11-module-load-behavior = early
# pkcs11-module-quirks = no-operation-state
#
-# No quirks are needed with pkcs11-provider 1.0+.
+# Further, there is a race between SoftHSM destructor and OpenSSL's atexit()
+# handler, which results in segmentation faults on process exit when using
+# unpatched SoftHSM 2.6.1 (latest version at the time of writing) with
+# pkcs11-provider:
+#
+# https://github.com/latchset/pkcs11-provider/issues/310
+# https://github.com/openssl/openssl/issues/22508
+# https://github.com/openssl/project/issues/1719
+# https://github.com/softhsm/SoftHSMv2/issues/780
+#
+# This can be resolved with the "no-deinit" quirk.
# Libraries on various systems: FreeBSD, Alpine, Debian, Fedora
@@ -164,7 +174,7 @@ module = $provider
pkcs11-module-path = $softhsm
pkcs11-module-token-pin = 1234
pkcs11-module-load-behavior = early
-pkcs11-module-quirks = no-operation-state
+pkcs11-module-quirks = no-operation-state no-deinit
activate = 1
[ req ]
More information about the nginx-devel
mailing list