[squid-users] SSL bump memory leak
Steve Hill
steve at opendium.com
Tue Feb 23 15:31:05 UTC 2016
I'm looking into (what appears to be) a memory leak in the Squid 3.5
series. I'm testing this in 3.5.13, but this problem has been observed
in earlier releases too. Unfortunately I haven't been able to reproduce
the problem in a test environment yet, so my debugging has been limited
to what I can do on production systems (so no valgrind, etc).
These systems are configured to do SSL peek/bump/splice and I see the
Squid workers grow to hundreds or thousands of megabytes in size over a
few hours. A configuration reload does not reduce the memory
consumption. For debugging purposes, I have set
"dynamic_cert_mem_cache_size=0KB" to disable the certificate cache,
which should eliminate bug 4005. I've taken a core dump to analyse and
have found:
Running "strings" on the core, I can see that there are vast numbers of
strings that look like certificate subject/issuer identifiers. e.g.:
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure
Certificate Services
The vast majority of these seem to refer to root and intermediate
certificates. There are a few that include a host name and are probably
server certificates, such as:
/OU=Domain Control Validated/CN=*.soundcloud.com
But these are very much in the minority.
Also, notably they are mostly duplicates. Compare the total number:
$ strings -n 10 -t x core.21693|egrep '^ *[^ ]+ /.{1,3}='|wc -l
131599
with the number of unique strings:
$ strings -n 10 -t x core.21693|egrep '^ *[^ ]+ /.{1,3}='|sort -u -k 2|wc -l
658
There are also a very small number of lines that look something like:
/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation,
Inc./CN=*.wikipedia.org+Sign=signTrusted+SignHash=SHA256
I think the "+Sign=signTrusted+SignHash=SHA256" part would indicate that
this is a Squid database key, which is very confusing since with the
certificate cache disabled I wouldn't expect to see these at all.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users
mailing list