Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 113257
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: avi.maslati [...] forescout.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Crl file handle is not closed.
Date: Tue, 22 Mar 2016 10:07:33 +0000
To: "bug-IO-Socket-SSL [...] rt.cpan.org" <bug-IO-Socket-SSL [...] rt.cpan.org>
From: Avi Maslati <avi.maslati [...] forescout.com>
Download (untitled) / with headers
text/plain 2.5k
Hi Guys, I after opening about 10k connections to my server using the following Server side configuration: 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem', 'SSL_check_crl' => 1, 'SSL_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem', 'SSL_verify_mode' => 1, 'SSL_client_ca_file' => '/usr/local/XXX/plugin/va/certs/fs_ca.pem' I noticed (using lsof) that the CRL file handle is not being closed till I close the process. I think it's because it is not released in the following code: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); < should be released here> if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } After modifying the code as below the issue seems to be resolved: if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); Net::SSLeay::BIO_free($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } } I would really appreciate your advice on this. Thanks a lot Avi WARNING - CONFIDENTIAL INFORMATION: Show quoted text
________________________________ The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.
Download (untitled) / with headers
text/plain 342b
Am Di 22. Mär 2016, 06:07:51, avi.maslati@forescout.com schrieb: Show quoted text
> Hi Guys, > > I after opening about 10k connections to my server using the following > Server side configuration: > > 'SSL_crl_file' => '/usr/local/XXX/plugin/va/certs/fs_crl.pem',
Thanks for reporting the problem. This should be fixed in the just released version 2.025.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.