Home/ Questions/Q 4568004
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T19:00:49+00:00

I’m trying to ensure that sensitive data (passwords, …) are not kept in clear-text

  • 0

I’m trying to ensure that sensitive data (passwords, …) are not kept in clear-text in process memory and I have found that all data sent to or received from OpenSSL is kept in memory…

This is a problem as data sent or received from an SSL connection may contain sensitive information that we don’t want to keep in process memory.

Notes:

  • This is only the case when using SSLv3 or TLSv1. When using SSLv2, data is not kept in memory.
  • I am using version 0.9.8k-7ubuntu8.6 from Ubuntu Lucid. If this is related to a security fix, I think it is up to date.

Reproduction is easy:

  • Use ‘openssl client -tls1 -connect hostname:443‘ to connect to an SSL server
  • Send data in TLS connection
  • Force generation of core file (kill -SEGV for example)
  • Inspect core file, received and sent data will be present

Is there a reason for which OpenSSL may need to keep that data? Is there an option to alter its behavior?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Note: I’m replying to my own question after having found the explanation I was looking for.

    The data is kept in zlib buffers if compression is enabled on the connection. That’s why it is not observed with some configuration/server. It is surely required by zlib to correctly compress the flow.

    If you don’t need compression and you don’t want unencrypted data to stay for a long time in process memory, you can disable OpenSSL compression.

    STACK_OF(SSL_COMP)* cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);
    • 0