[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certificates and memory use

David Hawes wrote:
> David Hawes wrote:
>> Quanah Gibson-Mount wrote:
>>> --On Tuesday, November 25, 2008 7:24 PM -0500 David Hawes
>>> <dhawes@vt.edu> wrote:
>>>> I was doing some testing and noticed that when I search for entries
>>>> using TLS, significantly more memory is used when using client
>>>> certificates than without them.  In fact, memory will eventually be
>>>> exhausted if the searches are performed indefinitely.  Without using
>>>> them, memory use stays (around) the same value.
>>>> I stripped down the config, removed all ACLs except one (to disallow
>>>> access), and started with an empty database, and get the same results.
>>>> I've noticed this in 2.4.11, 2.4.12, and 2.4.13 with OpenSSL 0.9.8i.  I
>>>> do not notice it with an old 2.3.39 instance.
>>>> Has anyone noticed anything similar, or can anyone reproduce this?
>>> Have you run OpenLDAP in this situation under valgrind to see where the
>>> leak is occurring?
>> I have not, but I intend to do that next.  I'll be sure to post the results.
> valgrind seems to indicate that the leak occurs in OpenSSL (6,214 bytes
> are lost each connection with TLS and client certificates).
> That said, I find it odd that 2.3.43, linked against the same OpenSSL,
> does not show this leak.  2.4.6 and up (though I did not test .7-.10) do
> show the leak.  I'm still trying to explain that.

Here is an excerpt of the valgrind output when using client certificates:

==13311== 4,906 (92 direct, 4,814 indirect) bytes in 1 blocks are
definitely lost in loss record 19 of 23
==13311==    at 0x401D898: malloc (vg_replace_malloc.c:207)
==13311==    by 0x41FCCC4: default_malloc_ex (mem.c:79)
==13311==    by 0x41FD33F: CRYPTO_malloc (mem.c:304)
==13311==    by 0x428CA65: asn1_item_ex_combine_new (tasn_new.c:191)
==13311==    by 0x428C79C: ASN1_item_ex_new (tasn_new.c:85)
==13311==    by 0x428ECAA: ASN1_item_ex_d2i (tasn_dec.c:399)
==13311==    by 0x428E5F9: ASN1_item_d2i (tasn_dec.c:134)
==13311==    by 0x4286A57: d2i_X509 (x_x509.c:136)
==13311==    by 0x4194F26: ssl3_get_client_certificate (s3_srvr.c:2521)
==13311==    by 0x4191897: ssl3_accept (s3_srvr.c:462)
==13311==    by 0x41AD930: SSL_accept (ssl_lib.c:867)
==13311==    by 0x815D00E: ldap_pvt_tls_accept (tls.c:1594)
==13311==    by 0x8076926: connection_read_thread (connection.c:1286)
==13311==    by 0x813CEE5: ldap_int_thread_pool_wrapper (tpool.c:663)
==13311==    by 0x415823F: start_thread (in
==13311==    by 0x43ED49D: clone (in /lib/tls/i686/cmov/libc-2.3.6.so)

It seems like something doesn't get freed properly when client
certificates are used, but I have been unable to track it down so far.