[jira] [Work logged] (TS-4858) Global session ticket key block leaks.

Thu, 15 Sep 2016 12:18:45 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-4858?focusedWorklogId=29176&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-29176
 ]

ASF GitHub Bot logged work on TS-4858:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 15/Sep/16 19:18
            Start Date: 15/Sep/16 19:18
    Worklog Time Spent: 10m 
      Work Description: Github user jpeach commented on a diff in the pull 
request:

    https://github.com/apache/trafficserver/pull/1024#discussion_r79039044
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -2052,6 +2052,7 @@ SSLParseCertificateConfiguration(const 
SSLConfigParams *params, SSLCertLookup *l
     
       // Load the global ticket key for later use.
       REC_ReadConfigStringAlloc(ticket_key_filename, 
"proxy.config.ssl.server.ticket_key.filename");
    +  ticket_block_free(global_default_keyblock);
    --- End diff --
    
    Unfortunately this is not going to work correctly. At the same time you 
have frees the ticket block here, other threads are accessing it to perform SSL 
handshaking, so they will read a stale pointer.
    
    One way to fix this is to make the ticket block part of the 
``SSLCertLookup`` object and then point the global pointer that that object. 
That might get a little nasty since updating the certificate lookup can fail 
after you assign the global pointer. You might need to find a different way.
    
    In general, I think what needs to happen here is:
    
    - Only update the ticket block if it has changed. Updating is each time 
will reduce the possibility of SSL session resumption.
    - If you update the ticket block, swap the pointers to the old and new 
blocks atomically, then schedule the old block for deletion


Issue Time Tracking
-------------------

    Worklog Id:     (was: 29176)
    Time Spent: 1h  (was: 50m)

> Global session ticket key block leaks.
> --------------------------------------
>
>                 Key: TS-4858
>                 URL: https://issues.apache.org/jira/browse/TS-4858
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: James Peach
>            Assignee: Syeda Persia Aziz
>             Fix For: 7.0.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> From source inspection, ``global_default_keyblock`` is always assigned so it 
> will leak on configuration reload.
> Have not reproduced this since I wasn't able to get SSL config reload to work 
> :-(



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to