Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-08-20 Thread Alex Rousskov
On 08/20/2014 01:09 AM, Amos Jeffries wrote:
> On 20/08/2014 9:27 a.m., Alex Rousskov wrote:
>> On 06/15/2014 05:00 AM, Tsantilas Christos wrote:
>>> On 06/13/2014 10:46 PM, Alex Rousskov wrote:
 On 04/25/2014 01:46 AM, Amos Jeffries wrote:
> On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
>> Do not leak fake SSL certificate context cache when reconfigure
>> changes port addresses.
>>
> This requires the guarantee that all connections using the storage are
> closed right?
>>
>>
 Hi Christos,

My understanding is that deleting a cached LocalContextStorage object
 does not actually affect connections that use the corresponding SSL_CTX
 and certificate because any SSL object using those things increments
 their sharing counter and deleting LocalContextStorage only decrements
 that counter. The [cached] SSL_CTX object is not destroyed by
 SSL_CTX_free until that sharing counter reaches zero. Is my
 understanding flawed?
>>
>>
>>> This is true. The SSL_CTX objects are not destroyed.
>>
>>
>>
 Do we have any code that stores SSL_CTX pointers for asyncrhonous use
 (i.e., across many main loop iterations) but does not increment the
 sharing counter?
>>
>>
>>> Nope.
>>> I hope I am not loosing anything. In any case if such case found it
>>> should be considered as bug, and must fixed...
>>
>>
>> Hi Amos,
>>
>> Does the above exchange resolve your concerns regarding that 6/8
>> leak patch? I have re-attached the same patch here for your convenience.
> 
> It does, yes.  +1.

Committed to trunk as r13537.


Thank you,

Alex.



Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-08-20 Thread Amos Jeffries
On 20/08/2014 9:27 a.m., Alex Rousskov wrote:
> On 06/15/2014 05:00 AM, Tsantilas Christos wrote:
>> On 06/13/2014 10:46 PM, Alex Rousskov wrote:
>>> On 04/25/2014 01:46 AM, Amos Jeffries wrote:
 On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
> Do not leak fake SSL certificate context cache when reconfigure
> changes port addresses.
> 
 This requires the guarantee that all connections using the storage are
 closed right?
> 
> 
>>> Hi Christos,
>>>
>>>My understanding is that deleting a cached LocalContextStorage object
>>> does not actually affect connections that use the corresponding SSL_CTX
>>> and certificate because any SSL object using those things increments
>>> their sharing counter and deleting LocalContextStorage only decrements
>>> that counter. The [cached] SSL_CTX object is not destroyed by
>>> SSL_CTX_free until that sharing counter reaches zero. Is my
>>> understanding flawed?
> 
> 
>> This is true. The SSL_CTX objects are not destroyed.
> 
> 
> 
>>> Do we have any code that stores SSL_CTX pointers for asyncrhonous use
>>> (i.e., across many main loop iterations) but does not increment the
>>> sharing counter?
> 
> 
>> Nope.
>> I hope I am not loosing anything. In any case if such case found it
>> should be considered as bug, and must fixed...
> 
> 
> Hi Amos,
> 
> Does the above exchange resolve your concerns regarding that 6/8
> leak patch? I have re-attached the same patch here for your convenience.

It does, yes.  +1.

Amos

> 
> 
> Thank you,
> 
> Alex.
> 
> 



Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-08-19 Thread Alex Rousskov
On 06/15/2014 05:00 AM, Tsantilas Christos wrote:
> On 06/13/2014 10:46 PM, Alex Rousskov wrote:
>> On 04/25/2014 01:46 AM, Amos Jeffries wrote:
>>> On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
 Do not leak fake SSL certificate context cache when reconfigure
 changes port addresses.

>>> This requires the guarantee that all connections using the storage are
>>> closed right?


>> Hi Christos,
>>
>>My understanding is that deleting a cached LocalContextStorage object
>> does not actually affect connections that use the corresponding SSL_CTX
>> and certificate because any SSL object using those things increments
>> their sharing counter and deleting LocalContextStorage only decrements
>> that counter. The [cached] SSL_CTX object is not destroyed by
>> SSL_CTX_free until that sharing counter reaches zero. Is my
>> understanding flawed?


> This is true. The SSL_CTX objects are not destroyed.



>> Do we have any code that stores SSL_CTX pointers for asyncrhonous use
>> (i.e., across many main loop iterations) but does not increment the
>> sharing counter?


> Nope.
> I hope I am not loosing anything. In any case if such case found it
> should be considered as bug, and must fixed...


Hi Amos,

Does the above exchange resolve your concerns regarding that 6/8
leak patch? I have re-attached the same patch here for your convenience.


Thank you,

Alex.


Do not leak fake SSL certificate context cache when reconfigure
changes port addresses.

=== modified file 'src/ssl/context_storage.cc'
--- src/ssl/context_storage.cc	2014-03-30 12:00:34 +
+++ src/ssl/context_storage.cc	2014-04-24 20:35:45 +
@@ -73,36 +73,37 @@ Ssl::LocalContextStorage *Ssl::GlobalCon
 return NULL;
 else
 return i->second;
 }
 
 void Ssl::GlobalContextStorage::reconfigureStart()
 {
 configureStorage.clear();
 reconfiguring = true;
 }
 
 void Ssl::GlobalContextStorage::reconfigureFinish()
 {
 if (reconfiguring) {
 reconfiguring = false;
 
 // remove or change old local storages.
 for (std::map::iterator i = storage.begin(); i != storage.end(); ++i) {
 std::map::iterator conf_i = configureStorage.find(i->first);
 if (conf_i == configureStorage.end() || conf_i->second <= 0) {
+delete i->second;
 storage.erase(i);
 } else {
 i->second->setMemLimit(conf_i->second);
 }
 }
 
 // add new local storages.
 for (std::map::iterator conf_i = configureStorage.begin(); conf_i != configureStorage.end(); ++conf_i ) {
 if (storage.find(conf_i->first) == storage.end() && conf_i->second > 0) {
 storage.insert(std::pair(conf_i->first, new LocalContextStorage(-1, conf_i->second)));
 }
 }
 }
 }
 
 Ssl::GlobalContextStorage Ssl::TheGlobalContextStorage;



Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-06-15 Thread Tsantilas Christos

On 06/13/2014 10:46 PM, Alex Rousskov wrote:

On 04/25/2014 01:46 AM, Amos Jeffries wrote:


On 25/04/2014 12:56 p.m., Alex Rousskov wrote:

Do not leak fake SSL certificate context cache when reconfigure
changes port addresses.



This requires the guarantee that all connections using the storage are
closed right?



Hi Christos,

   My understanding is that deleting a cached LocalContextStorage object
does not actually affect connections that use the corresponding SSL_CTX
and certificate because any SSL object using those things increments
their sharing counter and deleting LocalContextStorage only decrements
that counter. The [cached] SSL_CTX object is not destroyed by
SSL_CTX_free until that sharing counter reaches zero. Is my
understanding flawed?


This is true. The SSL_CTX objects are not destroyed.




Do we have any code that stores SSL_CTX pointers for asyncrhonous use
(i.e., across many main loop iterations) but does not increment the
sharing counter?


Nope.
I hope I am not loosing anything. In any case if such case found it 
should be considered as bug, and must fixed...







Thank you,

Alex.






Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-06-13 Thread Alex Rousskov
On 04/25/2014 01:46 AM, Amos Jeffries wrote:

> On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
>> Do not leak fake SSL certificate context cache when reconfigure
>> changes port addresses.

> This requires the guarantee that all connections using the storage are
> closed right?


Hi Christos,

  My understanding is that deleting a cached LocalContextStorage object
does not actually affect connections that use the corresponding SSL_CTX
and certificate because any SSL object using those things increments
their sharing counter and deleting LocalContextStorage only decrements
that counter. The [cached] SSL_CTX object is not destroyed by
SSL_CTX_free until that sharing counter reaches zero. Is my
understanding flawed?

Do we have any code that stores SSL_CTX pointers for asyncrhonous use
(i.e., across many main loop iterations) but does not increment the
sharing counter?


Thank you,

Alex.



Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-04-25 Thread Amos Jeffries
On 25/04/2014 7:46 p.m., Amos Jeffries wrote:
> On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
>> Do not leak fake SSL certificate context cache when reconfigure
>> changes port addresses.
>>
>> Alex.
>>
> 
> This requires the guarantee that all connections using the storage are
> closed right?
>  That is a false assertion on reconfigure.

I mean "false assumption". There are almost certainly open client
connections using it.

Amos


Re: [PATCH 6/8] reconfiguration leaks: SSL certificate context cache

2014-04-25 Thread Amos Jeffries
On 25/04/2014 12:56 p.m., Alex Rousskov wrote:
> Do not leak fake SSL certificate context cache when reconfigure
> changes port addresses.
> 
> Alex.
> 

This requires the guarantee that all connections using the storage are
closed right?
 That is a false assertion on reconfigure.

Amos