Bug fix: leak of peer certificate
There is a memory leak in mod_ssl-2.8.11-1.3.27 when client-authentication is used. The peer certificates are leaked - as much as 3-4K per request. I am enclosing a description of the memory leak, and a suggested patch to mod_ssl-2.8.11-1.3.27 to fix it. I'd appreciate if it (or some variant of the same idea) will be applied to mod_ssl. I haven't yet looked whether the same leak exists in Apache 2 and whether it should be fixed there too. Thanks to Zvi Har'El for researching and fixing this bug with me. Description of the bug: --- When Apache+mod_ssl is configured to require authentication of clients, the X509 certificate that the client sends gets saved inside the SSL_SESSION object. To access this certificate, OpenSSL provides a function SSL_get_peer_certificate(). Mod_ssl uses this function in a number of places, at least once per connection. OpenSSL's memory management relies on reference counts; an object is not really freed before its reference counts becomes zero. The SSL_get_peer_certificate() manual expressly warns that: "The reference count of the X509 object is incremented by one, so that it will not be destroyed when the session containing the peer certificate is freed. The X509 object must be explicitly freed using X509_free()." However, mod_ssl does call SSL_get_peer_certificate() a number of times without later X509_free'ing its result. Because one such mistake happens at every connection (in ssl_hook_NewConnection()), peer certificates will never ever get freed. Not even if the enclosing SSL_SESSION object get freed. This in-memory certificate object can quite big, in my tests over 3K (over 5 times the size of the rest of the session object). In some circumstances, if Apache processes do not get killed often enough, this could lead to huge leaks in the order of megabytes *per Apache process*. In fact, researching this bug was started when one of our machines went down (swapping like mad) after as little as one minute of very heavy test load. The solution to this bug is to appropriately call X509_free every time the code gets the certificate object and is done with it. This is what the patch below does. Notes: -- The following patch also includes changes that I wrote about a couple of days ago. They change free() calls to OPENSSL_free() where necessary in mod_ssl. A quick reminder: memory returned by OpenSSL functions like X509_NAME_oneline is allocated by OPENSSL_malloc, and should be freed with OPENSSL_free, not with free(). This caused me a lot of problems when trying to debug this memory leak (because OPENSSL_malloc and OPENSSL_free calls did not match up), so I think it would be good to clean this up once and for all. One note about reproducing this leak: By default, mod_ssl does not make any attempts to disable OpenSSL's internal session cache (we discussed this a bit on this list a few days ago), which is huge (20,000-sessions long) by default. In this case, the session object for the first 20,000 sessions in a certain Apache process are deliberately not freed, and obviously the peer certificate (if any) inside them aren't freed as well. Only when one lowers the size of this internal cache (with SSL_CTX_sess_set_cache_size()) or disables it completely (the upcoming SSL_SESS_CACHE_NO_INTERNAL option to SSL_CTX_set_session_cache_mode()), one notices how all the certificates never got freed anyway. With this patch, and with internal session cache disabled, Apache processes will not grow at all, not even after numerous client-authenticated requests. The patch itself: - diff -ur mod_ssl-2.8.11-1.3.27-dist/pkg.sslmod/ssl_engine_ext.c mod_ssl-2.8.11-1.3.27/pkg.sslmod/ssl_engine_ext.c --- mod_ssl-2.8.11-1.3.27-dist/pkg.sslmod/ssl_engine_ext.c 2002-03-27 18:47:58.0 +0200 +++ mod_ssl-2.8.11-1.3.27/pkg.sslmod/ssl_engine_ext.c 2002-10-25 17:15:22.0 ++0200 @@ -624,7 +624,7 @@ ssl_log(s, SSL_LOG_DEBUG, "SSL Proxy: (%s) no acceptable CA list, sending %s", servername, cp != NULL ? cp : "-unknown-"); -free(cp); +OPENSSL_free(cp); /* export structures to the caller */ *x509 = xi->x509; *pkey = xi->x_pkey->dec_pkey; @@ -643,7 +643,7 @@ cp = X509_NAME_oneline(X509_get_subject_name(xi->x509), NULL, 0); ssl_log(s, SSL_LOG_DEBUG, "SSL Proxy: (%s) sending %s", servername, cp != NULL ? cp : "-unknown-"); -free(cp); +OPENSSL_free(cp); /* export structures to the caller */ *x509 = xi->x509; *pkey = xi->x_pkey->dec_pkey; @@ -717,8 +717,8 @@ servername, peer != NULL ? peer : "-unknown-", errdepth, cp != NULL ? cp : "-unknown-", cp2 != NULL ? cp2 : "-unknown"); -free(cp); -free(cp2); +OPENSSL_free(cp); +OPENSSL_free(cp2);
RE: SSLFakeBasicAuth ?
Browsers cache the username/password and should continue to allow access until they are restarted -- at least all that I've used do. It is not controlled by a setting on the server as they are cached and controlled client-side. Jamie Furtner -Original Message- From: Ron McKeever [mailto:rmckeever@;earthlink.net] Sent: Friday, October 25, 2002 2:49 PM To: [EMAIL PROTECTED] Subject: SSLFakeBasicAuth ? Hello I have an Apache/1.3.27/mod_ssl/2.8.12/OpenSSL/0.9.6e/Solaris 8 system. I wanted to use .htaccess without the file .htaccess. SO I found the option to use SSLFakeBasicAuth in the httpd.conf file. It works and asks for my login. My question is what is the timeout after asking for the SSLFakeBasicAuth Dir. It seems once you get authenticated you can keep clicking on the link without being asked for your username/password? >From httpd.conf: SSLFakeBasicAuth SSLRequireSSL Options FollowSymLinks AllowOverride none AuthUserFile /opt/apache/.htpasswd AuthType Basic AuthName Watchdog Require valid-user Thanks Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLFakeBasicAuth ?
Hello I have an Apache/1.3.27/mod_ssl/2.8.12/OpenSSL/0.9.6e/Solaris 8 system. I wanted to use .htaccess without the file .htaccess. SO I found the option to use SSLFakeBasicAuth in the httpd.conf file. It works and asks for my login. My question is what is the timeout after asking for the SSLFakeBasicAuth Dir. It seems once you get authenticated you can keep clicking on the link without being asked for your username/password? >From httpd.conf: SSLFakeBasicAuth SSLRequireSSL Options FollowSymLinks AllowOverride none AuthUserFile /opt/apache/.htpasswd AuthType Basic AuthName Watchdog Require valid-user Thanks Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.40-8
On Friday 25 Oct 2002 2:01 pm, I wrote: > Anyway, if you get the Apache2 source code, (a tarball from the horse's > mouth mouth, or via source RPMs from Redhat or elsewhere), then you ^^^ I am reminded from time to time that perhaps "vi" might not, after all, be as appropriate for quickly-blurted emails as it is for coding ... with this slight slip of the fingers I make an already silly reference utterly incomprehensible. Apologies, I meant "a tarball from apache.org". Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.40-8
Hi, On Friday 25 Oct 2002 1:30 pm, Mike Pacheco wrote: > Hi All, > > Been on the mod_ssl site from top to bottom and I can not find mod_ssl > for apache 2.0.40 - I do a custom install of RedHat 8.0 - pick httpd > and mod_ssl and then query the installed packages after it finishes and > I test apache with ssl successfully and I get: > > rpm -q mod_ssl = mod_ssl-2.0.40-8 > > I would like to get my hands on the source for this version of mod_ssl > for some custom install options but I can not seem to find it. Can > somebody please point me in the right direction? It's bundled in the source code for Apache2 now. BTW: that's strange naming for the rpm if it's as you say and Redhat have split the Apache2 modules out. "apache-mod_ssl" would have made more sense for the ssl support IMHO. Anyway, if you get the Apache2 source code, (a tarball from the horse's mouth mouth, or via source RPMs from Redhat or elsewhere), then you should find the ssl module sitting in the source. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl-2.0.40-8
Hi All, Been on the mod_ssl site from top to bottom and I can not find mod_ssl for apache 2.0.40 - I do a custom install of RedHat 8.0 - pick httpd and mod_ssl and then query the installed packages after it finishes and I test apache with ssl successfully and I get: rpm -q mod_ssl = mod_ssl-2.0.40-8 I would like to get my hands on the source for this version of mod_ssl for some custom install options but I can not seem to find it. Can somebody please point me in the right direction? Thanks Mike Pacheco __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
One last question!
When I try to access port 443 I get a session where it informs you that you are accessing a secure document . and then it prompts you for the pass phrase. I have accessed secure servers before and although the browser informs you tha you are accessing a secure document you do not have to engage in this interactive session nor are you prompted for a pass phrase. How can the certificate giving can be achieved silently and w/o requiring the client to know the pass phrase? Best Dinos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]