[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certificates and memory use

To: David Hawes <dhawes@vt.edu>
Subject: Re: TLS client certificates and memory use
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Thu, 4 Dec 2008 17:47:44 -0800
Cc: openldap-software@openldap.org
In-reply-to: <49386C22.5040405@vt.edu>
References: <492C9754.2060700@vt.edu> <90DB5BC1326E6D629F63FFAA@[192.168.1.199]> <492CDC80.3080805@vt.edu> <49355E47.4000205@vt.edu> <49386C22.5040405@vt.edu>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Thu, 4 Dec 2008, David Hawes wrote:
...
> Here is an excerpt of the valgrind output when using client certificates:
> 
> ==13311== 4,906 (92 direct, 4,814 indirect) bytes in 1 blocks are
> definitely lost in loss record 19 of 23
...
> ==13311==    by 0x4286A57: d2i_X509 (x_x509.c:136)
> ==13311==    by 0x4194F26: ssl3_get_client_certificate (s3_srvr.c:2521)
...
> It seems like something doesn't get freed properly when client
> certificates are used, but I have been unable to track it down so far.

In 2.4.x, tls_get_cert_dn() leaks a reference to the client's X509 cert: 
the call to SSL_get_peer_certificate() in tls_get_cert() increments the 
reference count on the cert and it never gets decremented by a call to 
X509_free().  Simply adding the call there might not be safe, depending on 
whether the berval that tls_get_cert_dn() sets up relies on the underlying 
X509 to stay valid for longer than this chain of calls, as the X509 may be 
invalidated by a rehandshake.

Philip Guenther

Follow-Ups:
- Re: TLS client certificates and memory use
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: TLS client certificates and memory use
  - From: David Hawes <dhawes@vt.edu>
- Re: TLS client certificates and memory use
  - From: David Hawes <dhawes@vt.edu>

Prev by Date: Re: TLS client certificates and memory use
Next by Date: Re: TLS client certificates and memory use
Index(es):
- Chronological
- Thread