On 23/02/16 21:28, Amos Jeffries wrote:
Ah, you said "a small number" of wiki cert strings with those details. I took that as meaning a small number of definitely squid generated ones amidst the 130K indeterminate ones leaking.
Ah, a misunderstanding on my part - sorry. Yes, there were 302 strings containing "signTrusted" (77 of them unique), all of them appear to be server certificates (i.e. with a CN containing a domain name), so it is possibly reasonable to assume that they were for in-progress sessions and would therefore be cleaned up.
This leaves around 131297 other subject/issuer strings (581 unique) which, to my mind, can't be explained by anything other than a leak (whether that be a "real" leak where the pointers have been discarded without freeing the data, or a "pseudo" leak caused by references to them being held forever).
The SslBump wiki page (http://wiki.squid-cache.org/Features/SslBump) says that the SSL context used for talking to servers is wiped on reconfigure, and from what I've seen in the code it looks like this should still be true. However, a reconfigure doesn't seem to help in this case, so my assumption is that this data is not part of that SSL context. I'm not sure where else all of this data could be from though.
As much of the data seem to be intermediate and root CA certificates, it is presumably being collected from web servers, rather than being generated locally. Of the 131K strings not containing "signTrusted", only 2760 of them appear to be server certificates (86 unique), so it seems to me that the rest of the data are probably the intermediate certificate chains from web servers that Squid has connected to.
It looks like there were also over 400K bumped requests split across 2 workers, so although 131K certificates is a massive amount of "leaked" data, I don't think we are leaking on every connection. Coupled with the fact that I can't seem to reproduce this in a test environment, suggests that there is something a little abnormal going on to trigger the leak. Also bear in mind that a single certificate will show up as 2 separate strings, since it has both a subject and an issuer, so we're probably actually talking about around 65K certificates.
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
