Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 125888
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

Owner: Nobody in particular
Requestors: franz.skale [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: Memleak add_crl ($crl not freed !)
Date: Thu, 19 Jul 2018 12:57:34 +0000
To: "bug-IO-Socket-SSL [...]" <bug-IO-Socket-SSL [...]>
From: Skale Franz <franz.skale [...]>
Download (untitled) / with headers
text/plain 2.5k
Hello, i'm a heavy user of the CRL feature as well as client certificates. So i'm wondering why my microservices gather RAM but don't free it. I now found time to debug the problem and found the BUG. When adding a crl to the certificate store, you free the bio but not the crl. So, when using e.g. Mojolicious, every request grabs 124k of RAM which won't be freed after the request has been rendered. A simple woriking demonstration: (remove the lines Net::SSLeay::X509_CRL_free($crl); to see the memleak using top. #!/usr/bin/env perl use Mojo::Base -strict; use Net::SSLeay 1.85; use Mojo::IOLoop; my $crlfilename = q{use a working crl generated by your CA}; my $ctx = Net::SSLeay::CTX_new(); my $id; my $cb = sub { my $bio = Net::SSLeay::BIO_new_file($crlfilename, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); Net::SSLeay::BIO_free($bio); if ($crl) { if ( my $store = Net::SSLeay::X509_STORE_add_crl( Net::SSLeay::CTX_get_cert_store($ctx), $crl) ) { printf(STDERR "Succesfully added crl to cert store\n"); } else { printf(STDERR "CRL already in store\n"); Net::SSLeay::X509_CRL_free($crl); } } else { Net::SSLeay::X509_CRL_free($crl); printf(STDERR "Cannot read CRL File: %s\n", $crlfilename); Mojo::IOLoop->stop($id); } }; $id = Mojo::IOLoop->recurring(3 => sub {$cb->();}); Mojo::IOLoop->start unless Mojo::IOLoop->is_running; My simple patch: (IO::Socket:SSL version 2.0.58) resolves the issue ! --- IO-Socket-SSL-2.058.orig/lib/IO/Socket/ 2018-07-19 09:45:08.000000000 +0200 +++ IO-Socket-SSL-2.058/lib/IO/Socket/ 2018-07-19 14:46:25.347403289 +0200 @@ -2506,6 +2506,7 @@ Net::SSLeay::BIO_free($bio); if ( $crl ) { Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); + Net::SSLeay::X509_CRL_free($crl); } else { return IO::Socket::SSL->error("Invalid certificate revocation list"); } Btw. you're doing a great job ! Best regards Franz Skale Rechenzentrum-Services [Citycom Telekommunikation GmbH]<> Citycom Telekommunikation GmbH Gadollaplatz 1 8010 Graz | Austria T: +43(316)887-6264 M: +43(664)88275444 E:<><> FN 165640p, Landes- als Firmenbuchgericht Graz UID-Nr.: ATU 61241999 [Holding Graz]<>
Download (untitled) / with headers
text/plain 168b
Since this is the same report as the pull request at github the bug is resolved here too. Thanks again for your patch.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to