Hi SSLers! I am seeing an intermittent problem using EVP_md5 function to hash user-specified passwords.
The application works fine most of the time except when I run a "stress test": 3 user applications concurrently that simply try to connect to my server in a loop of 3,000 iterations each. My multi-threaded server accepts incoming connection requests and validates the user's password by hashing it using MD5 and verifying against stored hashed value. This works fine in all but approx. 10 iterations (out of 3,000). After putting in debug code I find that in those few iterations the EVP_md5 algorithm returned incorrect hashed value (which of course results in password validation). Here's an example: clear text password: "u2" stored (correct) MD5 hashed value in hex: '532A7B8E0328A8D05A8E6258B28B9A36' incorrect hashed values returned in some iterations: '57D972DACC4671C2D448F66F308B6D49', 'B0E641C998CC3EAE6FA2F8726D98CDDD', '3B33F2AD8FFE66427AF237B4DED2C1E2', etc. Execution environment: 64-bit SuSE Linux (also tried AIX system witht he same result as well) OpenSSL 0.9.8 Actions taken: Tried the same same multi-stream test scenario on an AIX system (also OpenSSL 0.9.8) -- same result My server is multi-threaded using pthreads, so I tried adding calls to CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() as described in the FAQ -- same result Tried to download & use OpenSSL 1.0.0.d however got a loader error when trying to create a shared library out of my application: "/usr/lib64/gcc/x86_64-suse-linux/4.1.2/../../../../x86_64-suse-linux/bin/ld: /home/hotely/kligermn/openssl100d/lib/libcrypto.a(digest.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC. /home/hotely/kligermn/openssl100d/lib/libcrypto.a: could not read symbols: Bad value Am I doing something wrong? Is this a known bug that perhaps has been fixed in a later OpenSSL release? As mentioned above, I tried downloading OpenSSL 1.0.0.d, but I only found static library while I need dynamic libssl.so.X.Y.Z Thanks in advance for any help, Gene
