** Description changed: [ Impact ] - * Accessing ssl.SSLSocket.session is leaking memory, which impacts both + * Accessing ssl.SSLSocket.session is leaking memory, which impacts both clients and servers. For some servers and applications this memory leak ultimately impacts the stability of the system/ - * The root cause also added a significant performance penalty for + * The root cause also added a significant performance penalty for accessing ssl.SSLSocket.session, which will also be removed with the proposed fix. [ Test Plan ] - * Save the following script into a file like ./test.py + * Save the following script into a file like ./test.py import ssl import socket import time host = '185.125.190.20' # ubuntu.com port = 443 session = None context = ssl._create_unverified_context(protocol=ssl.PROTOCOL_TLSv1_2) with socket.create_connection((host, port)) as sock: - with context.wrap_socket(sock, server_hostname=host, session = session) as ssock: - for i in range(300000): - session = ssock.session + with context.wrap_socket(sock, server_hostname=host, session = session) as ssock: + for i in range(300000): + session = ssock.session - * Run /usr/bin/time -v python3 ./test.py. Under "Average resident set + * Run /usr/bin/time -v python3 ./test.py. Under "Maximum resident set size (kbytes)" the output should list a memory usage of multiple mergabytes (likely 20-30MB) compared to the memory leak output of multiple GB [ Where problems could occur ] - * If the patch is incorrect it could impact the ssl module of Python. + * If the patch is incorrect it could impact the ssl module of Python. This could mean a correctness issue (potentially blocking clients or servers from accepting connections) or a security issue (introducing a vulnerability to Python). - * I tried to keep the potential impact as low as possible by using the + * I tried to keep the potential impact as low as possible by using the reviewed and published patch from upstream cpython. Additionally the modified code does not directly handle any of the cryptographic operations. [ Other Info ] - * The patch has ben in upstream cpython for about 2 years by now and + * The patch has ben in upstream cpython for about 2 years by now and was officially backported to 3.13 and 3.12, meaning that it has been vetted by the community and should be stable and correct. --- When ssl.SSLSocket.session` property was accessed, there's a memory leak which was introduced in CPython 3.10. Upstream bug report: https://github.com/python/cpython/issues/116810 Upstream patch: https://github.com/python/cpython/pull/123249
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2157534 Title: getting ssl.SSLSocket.session brings to memory leak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/2157534/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
