[nginx-tests] Tests: resolved ssl_store_pkcs11.t failures on Deb...

Maxim Dounin mdounin at mdounin.ru
Mon Dec 15 22:51:39 UTC 2025 

details:   http://freenginx.org/hg/nginx-tests/rev/b79ae9f9b554
branches:  
changeset: 2036:b79ae9f9b554
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Mon Dec 15 03:36:20 2025 +0300
description:
Tests: resolved ssl_store_pkcs11.t failures on Debian.

There is a race between SoftHSM destructor and OpenSSL's atexit() handler,
which results in segmentation faults on process exit when using unpatched
SoftHSM 2.6.1 (latest version at the time of writing):

https://github.com/latchset/pkcs11-provider/issues/310
https://github.com/openssl/openssl/issues/22508
https://github.com/openssl/project/issues/1719
https://github.com/softhsm/SoftHSMv2/issues/780

In particular, segmentation faults were observed on Debian, which uses
some patches for SoftHSM, but not a patch which prevents SoftHSM object
destruction as seen on Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/2059340
https://git.launchpad.net/ubuntu/+source/softhsm2/commit/?id=1d7c9001dbb7b89d2f72b920e09353dd90895b43

This can be resolved with the "no-deinit" quirk in pkcs11-provider.

diffstat:

 ssl_store_pkcs11.t |  14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diffs (31 lines):

diff --git a/ssl_store_pkcs11.t b/ssl_store_pkcs11.t
--- a/ssl_store_pkcs11.t
+++ b/ssl_store_pkcs11.t
@@ -125,7 +125,17 @@ EOF
 # pkcs11-module-load-behavior = early
 # pkcs11-module-quirks = no-operation-state
 #
-# No quirks are needed with pkcs11-provider 1.0+.
+# Further, there is a race between SoftHSM destructor and OpenSSL's atexit()
+# handler, which results in segmentation faults on process exit when using
+# unpatched SoftHSM 2.6.1 (latest version at the time of writing) with
+# pkcs11-provider:
+#
+# https://github.com/latchset/pkcs11-provider/issues/310
+# https://github.com/openssl/openssl/issues/22508
+# https://github.com/openssl/project/issues/1719
+# https://github.com/softhsm/SoftHSMv2/issues/780
+#
+# This can be resolved with the "no-deinit" quirk.
 
 # Libraries on various systems: FreeBSD, Alpine, Debian, Fedora
 
@@ -164,7 +174,7 @@ module = $provider
 pkcs11-module-path = $softhsm
 pkcs11-module-token-pin = 1234
 pkcs11-module-load-behavior = early
-pkcs11-module-quirks = no-operation-state
+pkcs11-module-quirks = no-operation-state no-deinit
 activate = 1
 
 [ req ]

More information about the nginx-devel mailing list