[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certificates and memory use



David Hawes wrote:
> Quanah Gibson-Mount wrote:
>> --On Tuesday, November 25, 2008 7:24 PM -0500 David Hawes
>> <dhawes@vt.edu> wrote:
>>
>>> I was doing some testing and noticed that when I search for entries
>>> using TLS, significantly more memory is used when using client
>>> certificates than without them.  In fact, memory will eventually be
>>> exhausted if the searches are performed indefinitely.  Without using
>>> them, memory use stays (around) the same value.
>>>
>>> I stripped down the config, removed all ACLs except one (to disallow
>>> access), and started with an empty database, and get the same results.
>>>
>>> I've noticed this in 2.4.11, 2.4.12, and 2.4.13 with OpenSSL 0.9.8i.  I
>>> do not notice it with an old 2.3.39 instance.
>>>
>>> Has anyone noticed anything similar, or can anyone reproduce this?
>> Have you run OpenLDAP in this situation under valgrind to see where the
>> leak is occurring?
> 
> I have not, but I intend to do that next.  I'll be sure to post the results.

valgrind seems to indicate that the leak occurs in OpenSSL (6,214 bytes
are lost each connection with TLS and client certificates).

That said, I find it odd that 2.3.43, linked against the same OpenSSL,
does not show this leak.  2.4.6 and up (though I did not test .7-.10) do
show the leak.  I'm still trying to explain that.