[squid-users] Large memory leak with ssl_peek (now partly understood)

Steve Hill steve at opendium.com
Thu Aug 11 16:56:23 UTC 2016 

I've been suffering from a significant memory leak on multiple servers 
running Squid 3.5 for months, but was unable to reproduce it in a test 
environment.  I've now figured out how to reproduce it and have done 
some investigation:

When using TPROXY, Squid generates fake "CONNECT 192.0.2.1:443" 
requests, using the IP address that the client connected to.  At 
ssl_bump step 1, we peek and Squid generates another fake "CONNECT 
example.com:443" request containing the SNI from the client's SSL handshake.

At ssl_bump step 2 we splice the connection and Squid does verification 
to make sure that example.com does actually resolve to 192.0.2.1.  If it 
doesn't, Squid is supposed to reject the connection in 
ClientRequestContext::hostHeaderVerifyFailed() to prevent clients from 
manipulating the SNI to bypass ACLs.

Unfortunately, when verification fails, rather than actually dropping 
the client's connection, Squid just leaves the client hanging. 
Eventually the client (hopefully) times out and drops the connection 
itself, but the associated ClientRequestContext is never destroyed.

This is testable by repeatedly executing:
openssl s_client -connect 17.252.76.30:443 -servername 
courier.push.apple.com

That is a traffic pattern that we see in the real world and is now 
clearly what is triggering the leak: Apple devices make connections to 
addresses within the 17.0.0.0/8 network with an SNI of 
"courier.push.apple.com".  courier.push.apple.com resolves to a CNAME 
pointing to courier-push-apple.com.akadns.net, but 
courier-push-apple.com.akadns.net doesn't exist.  Since Squid can't 
verify the connection, it won't allow it and after 30 seconds the client 
times out.  Each Apple device keeps retrying the connection, leaking a 
ClientRequestContext each time, and before long we've leaked several 
gigabytes of memory (on some networks I'm seeing 16GB or more of leaked 
RAM over 24 hours!).

Unfortunately I'm a bit lost in the Squid code and can't quite figure 
out how to gracefully terminate the connection and destroy the context.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Sales / enquiries:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com

More information about the squid-users mailing list