https://issues.apache.org/bugzilla/show_bug.cgi?id=44975
Summary: memory leak with mod_ssl and zlib compression
Product: Apache httpd-2
Version: 2.2.8
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
We have encountered an easily reproducible memory leak with Apache2 + mod_ssl
with zlib encryption enabled.
Reproducing the problem is as simple as running Apache-bench against a
vulnerable host:
ab -n 10000 -c 20 -f tls1 https://vulnerable.host.example.com:443/
Vulnerable hosts seem to be (apache >= 2.2.4) + (openssl >= 0.9.8e).
Depending on how much memory is available on the server, you may need to scale
the value of -n up or down. With 128MB in a virtual machine -n 1000 is enough
to manifest the problem.
On the client side, you will begin seeing:
SSL handshake failed (5).
SSL read failed - closing connection
On the server side under Linux, the kernel Out-of-memory (OOM) killer starts
reaping runaway Apache2 instances.
Out of memory: kill process XXXX (apache2)
This bug is being tracked in Ubuntu's bug tracker here:
https://bugs.edge.launchpad.net/ubuntu/+source/apache2/+bug/224945
As this looks to be an issue with OpenSSL, it has been reported there as well:
http://marc.info/?l=openssl-dev&m=121060672602371&w=2
:-Dustin
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
