Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 125888
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Nobody in particular
Requestors: franz.skale [...] citycom-austria.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Jul 19 08:58:51 2018 franz.skale [...] citycom-austria.com - Ticket created
Subject: Memleak add_crl ($crl not freed !)
Date: Thu, 19 Jul 2018 12:57:34 +0000
To: "bug-IO-Socket-SSL [...] rt.cpan.org" <bug-IO-Socket-SSL [...] rt.cpan.org>
From: Skale Franz <franz.skale [...] citycom-austria.com>
Hello, i'm a heavy user of the CRL feature as well as client certificates. So i'm wondering why my microservices gather RAM but don't free it. I now found time to debug the problem and found the BUG. When adding a crl to the certificate store, you free the bio but not the crl. So, when using e.g. Mojolicious, every request grabs 124k of RAM which won't be freed after the request has been rendered. A simple woriking demonstration: (remove the lines Net::SSLeay::X509_CRL_free($crl); to see the memleak using top. #!/usr/bin/env perl use Mojo::Base -strict; use Net::SSLeay 1.85; use Mojo::IOLoop; my $crlfilename = q{use a working crl generated by your CA}; my $ctx = Net::SSLeay::CTX_new(); my $id; my $cb = sub { my $bio = Net::SSLeay::BIO_new_file($crlfilename, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); Net::SSLeay::BIO_free($bio); if ($crl) { if ( my $store = Net::SSLeay::X509_STORE_add_crl( Net::SSLeay::CTX_get_cert_store($ctx), $crl) ) { printf(STDERR "Succesfully added crl to cert store\n"); } else { printf(STDERR "CRL already in store\n"); Net::SSLeay::X509_CRL_free($crl); } } else { Net::SSLeay::X509_CRL_free($crl); printf(STDERR "Cannot read CRL File: %s\n", $crlfilename); Mojo::IOLoop->stop($id); } }; $id = Mojo::IOLoop->recurring(3 => sub {$cb->();}); Mojo::IOLoop->start unless Mojo::IOLoop->is_running; My simple patch: (IO::Socket:SSL version 2.0.58) resolves the issue ! --- IO-Socket-SSL-2.058.orig/lib/IO/Socket/SSL.pm 2018-07-19 09:45:08.000000000 +0200 +++ IO-Socket-SSL-2.058/lib/IO/Socket/SSL.pm 2018-07-19 14:46:25.347403289 +0200 @@ -2506,6 +2506,7 @@ Net::SSLeay::BIO_free($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); + Net::SSLeay::X509_CRL_free($crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } Btw. you're doing a great job ! Best regards Franz Skale Rechenzentrum-Services [Citycom Telekommunikation GmbH]<http://www.citycom-austria.com/> Citycom Telekommunikation GmbH Gadollaplatz 1 8010 Graz | Austria T: +43(316)887-6264 M: +43(664)88275444 E: franz.skale@citycom-austria.com<mailto:franz.skale@citycom-austria.com> www.citycom-austria.com<http://www.citycom-austria.com/> FN 165640p, Landes- als Firmenbuchgericht Graz UID-Nr.: ATU 61241999 [Holding Graz]<http://www.holding-graz.at/>
  Wed Aug 15 11:58:19 2018 Steffen_Ullrich [...] genua.de - Correspondence added
Since this is the same report as the pull request at github https://github.com/noxxi/p5-io-socket-ssl/pull/74 the bug is resolved here too. Thanks again for your patch.
  Wed Aug 15 11:58:20 2018 The RT System itself - Status changed from 'new' to 'open'
  Wed Aug 15 11:58:21 2018 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'