Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 113257
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Nobody in particular
Requestors: avi.maslati [...] forescout.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Mar 22 06:07:51 2016 avi.maslati [...] forescout.com - Ticket created
Subject: Crl file handle is not closed.
Date: Tue, 22 Mar 2016 10:07:33 +0000
To: "bug-IO-Socket-SSL [...] rt.cpan.org" <bug-IO-Socket-SSL [...] rt.cpan.org>
From: Avi Maslati <avi.maslati [...] forescout.com>
Hi Guys, I after opening about 10k connections to my server using the following Server side configuration: 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem', 'SSL_check_crl' => 1, 'SSL_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem', 'SSL_verify_mode' => 1, 'SSL_client_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem' I noticed (using lsof) that the CRL file handle is not being closed till I close the process. I think it's because it is not released in the following code: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); < should be released here> if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } After modifying the code as below the issue seems to be resolved: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); Net::SSLeay::BIO_free($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } I would really appreciate your advice on this. Thanks a lot Avi WARNING - CONFIDENTIAL INFORMATION: Show quoted text
________________________________ The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.
  Mon Apr 04 03:24:59 2016 Steffen_Ullrich [...] genua.de - Correspondence added
Am Di 22. Mär 2016, 06:07:51, avi.maslati@forescout.com schrieb: Show quoted text
> Hi Guys, > > I after opening about 10k connections to my server using the following > Server side configuration: > > 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem',
Thanks for reporting the problem. This should be fixed in the just released version 2.025.
  Mon Apr 04 03:25:00 2016 The RT System itself - Status changed from 'new' to 'open'
  Mon Apr 04 03:25:01 2016 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'