Hi RĂ©mi, On Tue, Jul 15, 2014 at 11:40:29AM +0200, Remi Gacogne wrote: > > Hi, > > It was recently reported to the Apache HTTPd dev mailing list [1] that > the DH * value returned by the callback set with > SSL_CTX_set_tmp_dh_callback() is not freed by OpenSSL but must be > tracked by the application and freed when no longer needed, whenever > that is. Unfortunately this behavior is not clearly documented and the > example included in the documentation [2] doesn't do that.
Quite weird indeed. > As a result, the patch I submitted earlier in haproxy 1.5 leads haproxy > to leak memory for SSL/TLS connections using Diffie Hellman Ephemeral > key exchange, as the DH * struct holding the DH parameters is not freed > by OpenSSL. > > This patch fixes the leak by allocating the DH * structs holding the DH > parameters once, at configuration time, as it has been done in Apache > HTTPd. I am not very satisfied by the fact that it uses 4 file-scope > variables, but I didn't see where else to store the DH parameters. > Willy, Emeric, do you have any comment? Don't worry for a few extra static variables, especially for whatever relates to configuration (which is the case here). Your patch is fine, I've applied it to both 1.5 and 1.6! > I am sorry I didn't catch that earlier. You must not be sorry. Nobody could blame you for not figuring all of openssl's tricks at first glance! We don't want to claim we have no bugs, we just want them to be fixed quickly, that's exactly what you did, so that's perfect :-) Thanks! Willy
