Why OpenSSL may keep received/written data in memory?

Question

I'm trying to ensure that sensitive data (passwords, ...) are not kept in clear-text in process memory and I have found that all data sent to or received from OpenSSL is kept in memory...

This is a problem as data sent or received from an SSL connection may contain sensitive information that we don't want to keep in process memory.

Notes:

• This is only the case when using SSLv3 or TLSv1. When using SSLv2, data is not kept in memory.
• I am using version 0.9.8k-7ubuntu8.6 from Ubuntu Lucid. If this is related to a security fix, I think it is up to date.

Reproduction is easy:

• Use 'openssl client -tls1 -connect hostname:443' to connect to an SSL server
• Send data in TLS connection
• Force generation of core file (kill -SEGV for example)
• Inspect core file, received and sent data will be present

Is there a reason for which OpenSSL may need to keep that data? Is there an option to alter its behavior?

Answer 1

Note: I'm replying to my own question after having found the explanation I was looking for.

The data is kept in zlib buffers if compression is enabled on the connection. That's why it is not observed with some configuration/server. It is surely required by zlib to correctly compress the flow.

If you don't need compression and you don't want unencrypted data to stay for a long time in process memory, you can disable OpenSSL compression.

STACK_OF(SSL_COMP)* cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);