Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 113257
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: avi.maslati [...] forescout.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



X-Asg-Orig-Subj: Crl file handle is not closed.
MIME-Version: 1.0
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA
X-Spam-Flag: NO
X-Barracuda-Scan-MSG-Size: 12658
X-Virus-Checked: Checked
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.28048 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Content-Type: multipart/alternative; boundary="_000_9DF48A92B6565C47B2B70D64FBEA60181F3187B2TAMAILSRV01fsdf_"
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Virus-Scanned: by bsmtpd at forescout.com
X-Spam-Score: -1.9
X-Barracuda-Spam-Score: 0.00
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 1424D240387 for <cpan-bug+IO-Socket-SSL [...] hipster.bestpractical.com>; Tue, 22 Mar 2016 06:07:50 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3w35nPhZu4t for <cpan-bug+IO-Socket-SSL [...] hipster.bestpractical.com>; Tue, 22 Mar 2016 06:07:48 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 809E0240028 for <bug-IO-Socket-SSL [...] rt.cpan.org>; Tue, 22 Mar 2016 06:07:47 -0400 (EDT)
Received: (qmail 29537 invoked by alias); 22 Mar 2016 10:07:47 -0000
Received: from mail-relay.forescout.com (HELO mail-relay.forescout.com) (194.90.151.203) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Tue, 22 Mar 2016 03:07:41 -0700
Received: from TA-MAILSRV01.fsd.forescout.com (ta-mailsrv01 [10.0.0.9]) by mail-relay.forescout.com with ESMTP id WN2ls8xbcMJibyPJ (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for <bug-IO-Socket-SSL [...] rt.cpan.org>; Tue, 22 Mar 2016 12:07:34 +0200 (IST)
Received: from TA-MAILSRV01.fsd.forescout.com ([10.0.0.9]) by TA-MAILSRV01.fsd.forescout.com ([10.0.0.9]) with mapi id 14.03.0279.002; Tue, 22 Mar 2016 12:07:34 +0200
X-Barracuda-BRTS-Status: 1
Delivered-To: cpan-bug+IO-Socket-SSL [...] hipster.bestpractical.com
Subject: Crl file handle is not closed.
Thread-Index: AdGEIKrz2NVuaOSySOucjDhdunCPJg==
X-Spam-Check-BY: la.mx.develooper.com
Date: Tue, 22 Mar 2016 10:07:33 +0000
X-Spam-Level:
To: "bug-IO-Socket-SSL [...] rt.cpan.org" <bug-IO-Socket-SSL [...] rt.cpan.org>
X-Barracuda-Connect: ta-mailsrv01[10.0.0.9]
X-Spam-Status: No, score=-1.9 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham
X-Barracuda-Envelope-From: avi.maslati [...] forescout.com
Content-Language: en-US
Message-ID: <9DF48A92B6565C47B2B70D64FBEA60181F3187B2 [...] TA-MAILSRV01.fsd.forescout.com>
X-Barracuda-Start-Time: 1458641254
X-MS-Tnef-Correlator:
X-Asg-Debug-ID: 1458641254-080a5623724604e0001-wzKXD5
Return-Path: <avi.maslati [...] forescout.com>
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=HTML_MESSAGE
X-Original-To: cpan-bug+IO-Socket-SSL [...] hipster.bestpractical.com
X-RT-Mail-Extension: io-socket-ssl
X-Barracuda-Url: https://mail-relay.forescout.com:443/cgi-mod/mark.cgi
Thread-Topic: Crl file handle is not closed.
X-MS-Has-Attach:
X-Originating-Ip: [10.0.3.84]
Accept-Language: he-IL, en-US
From: Avi Maslati <avi.maslati [...] forescout.com>
X-RT-Interface: Email
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: ascii
Content-Length: 2565
Download (untitled) / with headers
text/plain 2.5k
Hi Guys, I after opening about 10k connections to my server using the following Server side configuration: 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem', 'SSL_check_crl' => 1, 'SSL_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem', 'SSL_verify_mode' => 1, 'SSL_client_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem' I noticed (using lsof) that the CRL file handle is not being closed till I close the process. I think it's because it is not released in the following code: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); < should be released here> if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } After modifying the code as below the issue seems to be resolved: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); Net::SSLeay::BIO_free($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } I would really appreciate your advice on this. Thanks a lot Avi WARNING - CONFIDENTIAL INFORMATION: Show quoted text
________________________________ The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.
content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: ascii
Content-Length: 9951
MIME-Version: 1.0
In-Reply-To: <9DF48A92B6565C47B2B70D64FBEA60181F3187B2 [...] TA-MAILSRV01.fsd.forescout.com>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <9DF48A92B6565C47B2B70D64FBEA60181F3187B2 [...] TA-MAILSRV01.fsd.forescout.com>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-29887-1459754699-379.113257-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 342
Download (untitled) / with headers
text/plain 342b
Am Di 22. Mär 2016, 06:07:51, avi.maslati@forescout.com schrieb: Show quoted text
> Hi Guys, > > I after opening about 10k connections to my server using the following > Server side configuration: > > 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem',
Thanks for reporting the problem. This should be fixed in the just released version 2.025.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.