Looking at Crypt-SSLeay-0.57 - and the rather trivial script below works:
- fine and dandy when there is no PKCS12 environment variable
set for a client side cert:
perl below.pl
.......
while true; ps aux | grep perl | grep below.pl; sleep 1; done
shows a steady size.
HOWEVER:
- Leaks a few 100kbs-1Mbyte/second when one is set.
export HTTPS_PKCS12_FILE=~/client.p12
export HTTPS_PKCS12_PASSWORD=supersecret
perl below.pl
.......
while true; ps aux | grep perl | grep below.pl; sleep 1; done
shows a very steady growth.
Simplest script I could think off is shown below. Any one any ideas -
almost looks as if the .49 patch:
+ Added patch from Pavel Hlavnicka for freeing memory leaks
from SSL_CTX_use_pkcs12_file() whose functionality is triggered
by the $ENV{HTTPS_PKCS12_*} settings
was somehow reverted. Suggestions appreciated ! Let me know if you need
a test server/client-cert to test against.
Thanks,
Dw
- sample script
use LWP::UserAgent;
$|++;
my $ua = LWP::UserAgent->new(keep_alive => 10);
while(1) {
$i++;
my $req = HTTP::Request->new('GET', 'https://xxxx.com');
my $res = $ua->request($req);
print ".";
};
- command sequence to get yourself a server/client
cert and config for apache:
# self signed server cert
openssl req -new -x509 -nodes \
-set_serial 1 \
-out server.pem -keyout server.key \
-subj /CN=server
# cert of the root CA issueing client certs.
#
openssl req -new -x509 -nodes \
-set_serial 1 \
-out client-ca.pem -keyout client-ca.key \
-subj /CN=client-ca
# client cert request
#
openssl req -new -nodes -set_serial 3 \
-out client.req -keyout client.key \
-subj /CN=theclient
# root signs it
#
openssl x509 -req -in client.req \
-signkey client-ca.key \
-out client.pem
# package ss PKCS12 for Crypt::SSLeay
openssl pkcs12 -export -out client.p12 \
-in client.pem -inkey client.key \
-passout pass:supersecret
# config for apache
httpd.conf
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile server.pem
SSLCertificateKeyFile server.key
SSLCACertificateFile ca-client.pem
SSLVerifyClient require
SSLVerifyDepth 2
http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on
it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
