- Constantine Sapuntzakis identified a write after close, as the sockets were

closed by libcurl before the SSL lib were shutdown and they may write to its
  socket. Detected to at least happen with OpenSSL builds.

CHANGES

@@ -7,6 +7,10 @@
                                   Changelog
 
 Daniel Stenberg (20 Nov 2009)
+- Constantine Sapuntzakis identified a write after close, as the sockets were
+  closed by libcurl before the SSL lib were shutdown and they may write to its
+  socket. Detected to at least happen with OpenSSL builds.
+
 - Jad Chamcham pointed out a bug with connection re-use. If a connection had
   CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
   same proxy with the tunnel option disabled would still wrongly re-use that

RELEASE-NOTES

@@ -24,6 +24,7 @@ This release includes the following bugfixes:
  o don't store LDFLAGS in pkg-config file
  o never-pruned DNS cached entries
  o HTTP proxy tunnel re-used connection even if tunnel got disabled
+ o SSL lib post-close write
 
 This release includes the following known bugs:
 

lib/url.c

@@ -2300,6 +2300,11 @@ static void conn_free(struct connectdata *conn)
   if(!conn)
     return;
 
+  /* close the SSL stuff before we close any sockets since they will/may
+     write to the sockets */
+  Curl_ssl_close(conn, FIRSTSOCKET);
+  Curl_ssl_close(conn, SECONDARYSOCKET);
+
   /* close possibly still open sockets */
   if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
     sclose(conn->sock[SECONDARYSOCKET]);
@@ -2336,9 +2341,6 @@ static void conn_free(struct connectdata *conn)
   Curl_destroy_thread_data(&conn->async);
 #endif
 
-  Curl_ssl_close(conn, FIRSTSOCKET);
-  Curl_ssl_close(conn, SECONDARYSOCKET);
-
   Curl_free_ssl_config(&conn->ssl_config);
 
   free(conn); /* free all the connection oriented data */