The function handling the SSL password receives a memory copy of the password which is then passed down to the OpenSSL library. The intermediate buffer used to get the password is not cleared one used up.
This is a (rather low) security issue in case a memory scraper was used. The buffer should be cleared once not necessary anymore.
The current function (in 0.9.0) looks like this:
After the strncpy() I would suggest something like this:
Note that we cannot use the variable size because it gets modified and thus does not represent the whole password size at that point.