[squid-users] SSL bump memory leak

Steve Hill steve at opendium.com
Tue Feb 23 15:31:05 UTC 2016 

I'm looking into (what appears to be) a memory leak in the Squid 3.5 
series.  I'm testing this in 3.5.13, but this problem has been observed 
in earlier releases too.  Unfortunately I haven't been able to reproduce 
the problem in a test environment yet, so my debugging has been limited 
to what I can do on production systems (so no valgrind, etc).

These systems are configured to do SSL peek/bump/splice and I see the 
Squid workers grow to hundreds or thousands of megabytes in size over a 
few hours.  A configuration reload does not reduce the memory 
consumption.  For debugging purposes, I have set 
"dynamic_cert_mem_cache_size=0KB" to disable the certificate cache, 
which should eliminate bug 4005.  I've taken a core dump to analyse and 
have found:

Running "strings" on the core, I can see that there are vast numbers of 
strings that look like certificate subject/issuer identifiers.  e.g.:
	/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure 
Certificate Services

The vast majority of these seem to refer to root and intermediate 
certificates.  There are a few that include a host name and are probably 
server certificates, such as:
	/OU=Domain Control Validated/CN=*.soundcloud.com
But these are very much in the minority.

Also, notably they are mostly duplicates.  Compare the total number:
$ strings -n 10 -t x core.21693|egrep '^ *[^ ]+ /.{1,3}='|wc -l
131599
with the number of unique strings:
$ strings -n 10 -t x core.21693|egrep '^ *[^ ]+ /.{1,3}='|sort -u -k 2|wc -l
658

There are also a very small number of lines that look something like:
	/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, 
Inc./CN=*.wikipedia.org+Sign=signTrusted+SignHash=SHA256
I think the "+Sign=signTrusted+SignHash=SHA256" part would indicate that 
this is a Squid database key, which is very confusing since with the 
certificate cache disabled I wouldn't expect to see these at all.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com

More information about the squid-users mailing list