On Fri, Apr 09, 2021 at 11:34:54AM +0200, Markus Demleitner wrote: > Since this appears to be a known problem, there's reason to hope > it will go away when moving to bullseye, disabling https upgrading
Well, it didn't, and I finally wanted to have https on that service, and so I had another look. It turns out that the twisted bug https://twistedmatrix.com/trac/ticket/9764 now has a bit more information. It is still somewhat unfulfilling, as nobody seems to want to work out where the invalid free() comes from, but at least there's a recipe to work around the bug. Me, I'm disabling session caching for now. Twisted seems to do the same thing. Since there *is* a severe, potentially exploitable problem with session caching, perhaps this ought to be the default in python3-openssl? I'd be ok with closing this bug, anyway, as I'd say it's rather clearly not python3-cryptography's own bug.
