Re:Re: Re: memory leak related to ssl termination

Tue, 26 May 2015 00:59:03 -0700 

hi,
netstat show the following result, same as you descrbe. (ats runing for less 
than 1 day), many connections on CLOSE_WAIT.  i have no idea on this problem.

COUNT  PORT         STATE
  59871  443                  CLOSE_WAIT
   3699  443                  TIME_WAIT
    513   443                  ESTABLISHED
     14    443                  FIN_WAIT1
     11   443                  SYN_RECV
      9    443                  CLOSING
      2    443                  LAST_ACK
      1    443                  FIN_WAIT2


At 2015-05-25 21:28:49, "Acácio Centeno" <[email protected]> wrote:

Hello Esmq,


I had observed an ATS leak similar to the one you described to the user's list 
a while ago, but what seems to be the problem for us is that some ssl 
connections are getting stuck on CLOSE_WAIT. I know it's SSL related because 
this only happens with connections to port 443.


I've seen thousands of connections that would hang on this state for a long 
period. This is the command I used for getting this info, could you, please, 
run it on your environment to see if the same thing is happening to you? (where 
XXX.XXX.XXX.XXX is the server's IP addr):


netstat -n --tcp | grep XXX.XXX.XXX.XXX | sed 'XXX.XXX.XXX.XXX://g' | awk '{ 
printf("%-20s %s\n", $4,$6); }' | sort | uniq -c | sort -rn


Best regards,
Acácio.




Acácio Centeno
Software Engineering
Azion Technologies
Porto Alegre, Brasil +55 51 3012 3005 | +55 51 8118 9947
Miami, USA +1 305 704 8816
|


Quaisquer informações contidas neste e-mail e anexos podem ser confidenciais e 
privilegiadas, protegidas por sigilo legal. Qualquer forma de utilização deste 
documento depende de autorização do emissor, sujeito as penalidades cabíveis.

Any information in this e-mail and attachments may be confidential and 
privileged, protected by legal confidentiality. The use of this document 
require authorization by the issuer, subject to penalties.

|




2015-05-17 20:07 GMT-03:00 Esmq <[email protected]>:

hi,
ats running in reverse proxy mode only,  not forward or transparent porxy.
when disabled ssl, there not memory leak problem (momory usaged just increased 
by 50MB in 2 days)




在 2015-05-17 23:41:42,"Susan Hinrichs" <[email protected]> 写道:
We are tracking a memory leak issue on ssl_multicert.config reload.  But I'm 
not aware of substantial memory leak for SSL traffic passing through.

Are you running in forward proxy or reverse proxy?  Are you running in 
transparent mode?

Operating with SSL will use more memory than straight HTTP over TCP.  Is it 
possible that your steady state memory usage has increased over the TCP case?


On 5/17/2015 9:01 AM, Esmq wrote:

hi,all

i have encounter seriously memory leak problem related to ats.

########################################################
after testing for several times, it is confirmed that the problem is caused by 
ssl termination.

the following testing i haved done:
1) runing ats on several servers with same hardware/software configuration.
2) when configure some ats for ssl termination, these servers have memory 
leak...
3) when disabled ssl termination, the problem gone.
4) the ssl requests rate is about 100-200 requests/second
5) ats that enabled ssl termination increased memory usage continually 
(increase 10MB in 1 minutes)
6) the problem not fixed in v5.3.0
########################################################

my system env and configuration is :


#######################################################

runing ats on debian7 64bit system(3.2.0-4-amd64), compile the ats with 
following paramters:

./configure --prefix=/usr/local/trafficserver-5.3.0 --enable-spdy 
--with-user=trafficserver --with-group=trafficserver 
--sysconfdir=/home/trafficserver/etc --enable-experimental-plugins 
--enable-reclaimable-freelist --enable-hwloc


#######################################################

and the ssl related configuration is :

CONFIG proxy.config.http.server_ports STRING 80:proto=spdy;http 
443:proto=spdy;http:ssl
CONFIG proxy.config.ssl.number.threads INT 0
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING 
RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
CONFIG proxy.config.ssl.server.cert.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.server.private_key.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.CA.cert.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.client.verify.server INT 0
CONFIG proxy.config.ssl.client.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.cert.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
CONFIG proxy.config.ssl.client.private_key.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.path STRING /home/trafficserver/etc
CONFIG proxy.config.ssl.hsts_max_age INT -1
CONFIG proxy.config.ssl.hsts_include_subdomains INT 0


#######################################################

ssl_multicert.config:
ssl_cert_name=ssl/mdc.test.com.crt ssl_key_name=ssl/mdc.test.com.key
ssl_cert_name=ssl/daily.test.com.crt ssl_key_name=ssl/daily.test.com.key
dest_ip=* ssl_cert_name=ssl/sslbbs.example.com.ee.crt 
ssl_key_name=ssl/sslbbs.example.com.nopass.key


#########################################

is there any configuration that can relieve the memory leak ?

does anyone have the suggestion?

Reply via email to