Hi there, On Thursday 17 Oct 2002 8:41 pm, Nadav Har'El wrote: > I've come across an apparent bug that I'm surprised no-one come > across before: Mod_ssl's SSL-session cache handling, both the shmht > and shmcb variants, leaks memory. Not directly (there's no alloc > calls in shmcb), but memory is definitely leaked. > > Is this a known bug?
I saw your related email on the openssl lists recently but have not had the time to reply (and search out the necessary links). Anyway, this may not do it justice, but w.r.t. turning of process-local openssl-internal cachine, see the following; http://marc.theaimsgroup.com/?l=apache-modssl&m=99717585106420&w=2 The issue isn't just memory footprint (though you're right, that can also become an unecessary issue) but in fact is security as well. If a session needs to be deleted or marked non-resumable, it's too late if one of the other processes has cached it locally - so when plugging in external caching hooks to openssl, mod_ssl should also turn off the process-local caching. End of story. This has apparently been fixed in Apache 2 but hasn't (IIRC) in mod_ssl. I mentioned it more than once, so I've given up. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
