swiftlang · clintonpi · Dec 9, 2025 · jrflat · Dec 16, 2025 · clintonpi
diff --git a/Sources/FoundationNetworking/URLSession/libcurl/MultiHandle.swift b/Sources/FoundationNetworking/URLSession/libcurl/MultiHandle.swift
@@ -48,6 +48,15 @@ extension URLSession {
         fileprivate var timeoutSource: _TimeoutSource? = nil
         private var reentrantInUpdateTimeoutTimer = false
 
+        // Only use serialization for OpenSSL < 1.1.0 which has race conditions during cleanup
+        private static let _needsCleanupSerialization: Bool = {
+            let version = CFURLSessionSSLVersionInfo()
+            return version.major < 1 || (version.major == 1 && version.minor < 1)
+        }()
+
+        // Process-wide cleanup lock
+        private static let _cleanupLock = NSLock()
+
         init(configuration: URLSession._Configuration, workQueue: DispatchQueue) {
             queue = DispatchQueue(label: "MultiHandle.isolation", target: workQueue)
             setupCallbacks()
@@ -58,7 +67,14 @@ extension URLSession {
             easyHandles.forEach {
                 try! CFURLSessionMultiHandleRemoveHandle(rawHandle, $0.rawHandle).asError()
             }
-            try! CFURLSessionMultiHandleDeinit(rawHandle).asError()
+
+            if Self._needsCleanupSerialization {
+                Self._cleanupLock.lock()
+                try! CFURLSessionMultiHandleDeinit(rawHandle).asError()
+                Self._cleanupLock.unlock()
+            } else {
+                try! CFURLSessionMultiHandleDeinit(rawHandle).asError()
+            }
         }
     }
 }

diff --git a/Sources/_CFURLSessionInterface/CFURLSessionInterface.c b/Sources/_CFURLSessionInterface/CFURLSessionInterface.c
@@ -676,6 +676,22 @@ CFURLSessionCurlVersion CFURLSessionCurlVersionInfo(void) {
     return v;
 }
 
+CFURLSessionSSLVersion CFURLSessionSSLVersionInfo(void) {
+    curl_version_info_data *info = curl_version_info(CURLVERSION_NOW);
+    CFURLSessionSSLVersion version = {0, 0, 0};
+
+    if (info && info->ssl_version) {
+        // Parse OpenSSL version string like "OpenSSL/1.0.2k-fips" or "OpenSSL/1.1.1"
+        const char *ssl_str = info->ssl_version;
+        if (strncmp(ssl_str, "OpenSSL/", 8) == 0) {
+            ssl_str += 8;  // Skip "OpenSSL/"
+            sscanf(ssl_str, "%d.%d.%d", &version.major, &version.minor, &version.patch);
+        }
+    }
+
+    return version;
+}
+
 
 int const CFURLSessionWriteFuncPause = CURL_WRITEFUNC_PAUSE;
 int const CFURLSessionReadFuncPause = CURL_READFUNC_PAUSE;

diff --git a/Sources/_CFURLSessionInterface/include/CFURLSessionInterface.h b/Sources/_CFURLSessionInterface/include/CFURLSessionInterface.h
@@ -580,6 +580,13 @@ typedef struct CFURLSessionCurlVersion {
 } CFURLSessionCurlVersion;
 CF_EXPORT CFURLSessionCurlVersion CFURLSessionCurlVersionInfo(void);
 
+typedef struct CFURLSessionSSLVersion {
+    int major;
+    int minor;
+    int patch;
+} CFURLSessionSSLVersion;
+CF_EXPORT CFURLSessionSSLVersion CFURLSessionSSLVersionInfo(void);
+
 
 CF_EXPORT int const CFURLSessionWriteFuncPause;
 CF_EXPORT int const CFURLSessionReadFuncPause;