[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certificates and memory use



--On Thursday, December 04, 2008 5:47 PM -0800 Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:


In 2.4.x, tls_get_cert_dn() leaks a reference to the client's X509 cert:
the call to SSL_get_peer_certificate() in tls_get_cert() increments the
reference count on the cert and it never gets decremented by a call to
X509_free().  Simply adding the call there might not be safe, depending
on  whether the berval that tls_get_cert_dn() sets up relies on the
underlying  X509 to stay valid for longer than this chain of calls, as
the X509 may be  invalidated by a rehandshake.

File an ITS please. :)

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration