On Mon, 19 Aug 2013, Jerry Blakley wrote:
What seems to be happening is that while the session is open and the
connection reused, we make the repeated allocations in nss_create_object,
increasing memory usage, until the session ends and curl_easy_cleanup is
called.
Is this the case, and should it be so? Or is there/should there be some
intermediary cleanup routine, or an ability to reuse the certificate
information without the reallocation?
Hi,
I'm not an NSS expert but it looks to me like there's no need to reload the
cert/key when the connection is re-used (as it is only re-used when the same
cert/key is set). What about a patch like the attached?
--
/ daniel.haxx.se
From c6f44ed376ce720a389490ae3eab880bee48b8ff Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Tue, 20 Aug 2013 10:36:02 +0200
Subject: [PATCH] NSS: don't load keys/certs with re-used connections
... as then they are already loaded and re-used from the previous request,
---
lib/nss.c | 55 +++++++++++++++++++++++++++++--------------------------
1 file changed, 29 insertions(+), 26 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 2d4bf9e..63a4847 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -553,39 +553,42 @@ static CURLcode cert_stuff(struct connectdata *conn, int sockindex,
char *cert_file, char *key_file)
{
struct SessionHandle *data = conn->data;
- CURLcode rv;
+ CURLcode rv = CURLE_OK;
- if(cert_file) {
- rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
- if(CURLE_OK != rv) {
- const PRErrorCode err = PR_GetError();
- if(!display_error(conn, err, cert_file)) {
- const char *err_name = nss_error_to_name(err);
- failf(data, "unable to load client cert: %d (%s)", err, err_name);
- }
+ if(!conn->bits.reuse) {
+ /* only load key/cert on the first use of this connection, for subsequent
+ uses of the connection the data is re-used */
- return rv;
+ if(cert_file) {
+ rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
+ if(CURLE_OK != rv) {
+ const PRErrorCode err = PR_GetError();
+ if(!display_error(conn, err, cert_file)) {
+ const char *err_name = nss_error_to_name(err);
+ failf(data, "unable to load client cert: %d (%s)", err, err_name);
+ }
+ return rv;
+ }
}
- }
- if(key_file || (is_file(cert_file))) {
- if(key_file)
- rv = nss_load_key(conn, sockindex, key_file);
- else
- /* In case the cert file also has the key */
- rv = nss_load_key(conn, sockindex, cert_file);
- if(CURLE_OK != rv) {
- const PRErrorCode err = PR_GetError();
- if(!display_error(conn, err, key_file)) {
- const char *err_name = nss_error_to_name(err);
- failf(data, "unable to load client key: %d (%s)", err, err_name);
+ if(key_file || (is_file(cert_file))) {
+ if(key_file)
+ rv = nss_load_key(conn, sockindex, key_file);
+ else
+ /* In case the cert file also has the key */
+ rv = nss_load_key(conn, sockindex, cert_file);
+ if(rv) {
+ const PRErrorCode err = PR_GetError();
+ if(!display_error(conn, err, key_file)) {
+ const char *err_name = nss_error_to_name(err);
+ failf(data, "unable to load client key: %d (%s)", err, err_name);
+ }
+ return rv;
}
-
- return rv;
}
}
- return CURLE_OK;
+ return rv;
}
static char * nss_get_password(PK11SlotInfo * slot, PRBool retry, void *arg)
--
1.8.4.rc3
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
