The CI failure - leaks - is relevant.

Sigh, yes. So this old bug hid further issues.
Any hints how (best) to fix these leaks?

I meanwhile analyzed the situation and found and fixed further issues,
such that all tests pass again, with no memory leaks reported any more.

It turns out that the BIO_{NO,}CLOSE input was not even recorded by BIO_set_ssl(), which now gets fixed here as well.
(I also noticed that BIO_ctrl() and ssl_ctrl(), when called with BIO_C_SET_SSL, ignore any given flags, but meanwhile I found that this is a different issue).

I think the severity: fips change label, which got (re-)added automatically here, is meanwhile a false positive:
I had to change the implementation of BIO_set_ssl(), and just because it happens to be implemented as a macro in bio.h.in, this change appears as a change of the public API.

This still changes public API - the macro is part of it. It is slightly better but I am not sure this should be merged. Would there be any way to fix without changing public headers?

I've meanwhile moved the call of BIO_set_shutdown() into the body of
long BIO_ctrl(BIO *b, int cmd, long larg, void *parg)
where it then needs an extra guard.

I've meanwhile moved the call of BIO_set_shutdown() into the body of long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) where it then needs an extra guard.

I think this is the wrong thing to do. Further comments as review comments.

Can I add the branch 3.0 tag here?

Of course the s_socket.c change is applicable only to master but that commit can be just skipped when cherry picking.

While it does look on the face of it like this is a clear bugfix and thus candidate for backport, I worry that it might fall into the category of bugs that are so longstanding that everything that cares has worked around the bug already, so that fixing the bug is more disruptive than leaving it in.

I do not really see a scenario where this fix could break anyone. Would you please elaborate?

I do not see how anyone would accidentally set BIO_NOCLOSE and expect that the SSL_shutdown() is done anyway. You would have to explicitly set the BIO_NOCLOSE but why would you do that if that does not have any real effect with the current code?

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

While it does look on the face of it like this is a clear bugfix and thus candidate for backport, I worry that it might fall into the category of bugs that are so longstanding that everything that cares has worked around the bug already, so that fixing the bug is more disruptive than leaving it in.

I do not really see a scenario where this fix could break anyone. Would you please elaborate?

I don't have a specific scenario in mind, this just qualitatively feels like some other cases where we've fixed a clear bug and then had it cause problems in practice due to software that had worked around it already.

Purely hypothetical, but consider an application using a common framework to manage multiple BIO types that just always set BIO_NOCLOSE unconditionally on all BIOs. That gets the precondition that the flag is set, and the framework then adds a workaround to match the observed behavior for SSL BIOs.

Is that a plausible scenario? I don't know. But it's enough to make me ask the question of whether the bugfix could be disruptive.

I do not really see how this could be a plausible scenario.

Merged to master and 3.0 (only the two applicable commits). Thank you.

Purely hypothetical, but consider an application using a common framework to manage multiple BIO types that just always set BIO_NOCLOSE unconditionally on all BIOs. That gets the precondition that the flag is set, and the framework then adds a workaround to match the observed behavior for SSL BIOs.

I also thought that it might be problematic to fix this longstanding bug because existing software may rely in the buggy behavior. Yet at least none of our tests broke.
A typical workaround for the bug may have been not to close the SSL connection, such that after this bugfix a mem leak might occur.
But well, typically the BIO does not get closed until exit, and than all open connections get closed anyway.

Merged to master and 3.0 (only the two applicable commits). Thank you.

Thanks @t8m for handling the discussion on between and merging this to both branches.

I just realized that most of #16688, namely

• the BIO_NOCLOSE issue and its fix
• the improvements to BIO_f_ssl.pod

pertains to earlier OpenSSL versions as well.
Ok to cherry-pick to 1.1.1?

Please create a separate PR against 1.1.1 I suppose this one won't cherry pick cleanly.

Good point; done in #17135.