[squid-users] SSL bump memory leak

[Steve Hill]

On 23/02/16 21:28, Amos Jeffries wrote:

> Ah, you said "a small number" of wiki cert strings with those details. I
> took that as meaning a small number of definitely squid generated ones
> amidst the 130K indeterminate ones leaking.

Ah, a misunderstanding on my part - sorry.  Yes, there were 302 strings 
containing "signTrusted" (77 of them unique), all of them appear to be 
server certificates (i.e. with a CN containing a domain name), so it is 
possibly reasonable to assume that they were for in-progress sessions 
and would therefore be cleaned up.

This leaves around 131297 other subject/issuer strings (581 unique) 
which, to my mind, can't be explained by anything other than a leak 
(whether that be a "real" leak where the pointers have been discarded 
without freeing the data, or a "pseudo" leak caused by references to 
them being held forever).

The SslBump wiki page (http://wiki.squid-cache.org/Features/SslBump) 
says that the SSL context used for talking to servers is wiped on 
reconfigure, and from what I've seen in the code it looks like this 
should still be true.  However, a reconfigure doesn't seem to help in 
this case, so my assumption is that this data is not part of that SSL 
context.  I'm not sure where else all of this data could be from though.

As much of the data seem to be intermediate and root CA certificates, it 
is presumably being collected from web servers, rather than being 
generated locally.  Of the 131K strings not containing "signTrusted", 
only 2760 of them appear to be server certificates (86 unique), so it 
seems to me that the rest of the data are probably the intermediate 
certificate chains from web servers that Squid has connected to.

It looks like there were also over 400K bumped requests split across 2 
workers, so although 131K certificates is a massive amount of "leaked" 
data, I don't think we are leaking on every connection.  Coupled with 
the fact that I can't seem to reproduce this in a test environment, 
suggests that there is something a little abnormal going on to trigger 
the leak.  Also bear in mind that a single certificate will show up as 2 
separate strings, since it has both a subject and an issuer, so we're 
probably actually talking about around 65K certificates.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com