Thanks for the reply, it helped me adding some more debugging statements to various places to track down the problem: it is due to a change in TLS session handling in TLSv1.3. It seems there are multiple SSL_SESSION structures for a single SSL connection (SMTP session). The callback installed using SSL_CTX_sess_set_new_cb() was called twice for the same SSL connection and the code was written to handle only one callback per connection. This resulted in a "use after free" situation. Sorry for the false alarm. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
