a) If you would like to see an example of memory leak, here is how I reproduce it.
1. Clone this git repository: http://github.com/bostjan/PHP-application-server 2. Copy/move/Symlink contents to /opt/daemons/AppSrv 3. cd to /opt/daemons/AppSrv/demos/demo_https 4. start the daemon: ./demo -d5 - binds and listens on port 30000 - does not fork into background 7. execute ./client_openssl_nocert 5. with another shell go to: /opt/daemons/AppSrv/demos/demo_https 6. execute this: while (true); do ./client_curl; done 7. start another shell and watch increasing residental memory of PHP server process b) If you would like to see an example of stale openssl_x509 resource bug, here is how I reproduce it. Follow the steps 1-5 above 6. execute ./client_openssl - make some input, double return - watch at server console how correct CN appears two times 7. execute ./client_openssl_nocert - watch at server console how STALE CN from previous connection appears 8. execute ./client_openssl_nocert - and the bug is gone to hiding 9. If you repeat steps 6-8 bug reappears/redissapears. I hope this helps, b. On 21 February 2010 01:45, Bostjan Skufca <bost...@a2o.si> wrote: > The patch includes code which is very similar but it's functionality > goes just the other way around. > > The original code takes remote CN and if that contains asterisk, it > tries to 'limited-wildcard-match' of CN_match against remote CN > (remote CN is the pattern in this case, if you will). > > On the other hand, added code checks if CN_match contains asterisk and > if so, it does 'limited-wildcard-match' of REMOTE CN against CN_match > pattern. > > > The original version 'could' be enough if you are only considering PHP > as a SSL client. > > > Now, what I am trying to achieve is a whole standalone application > server written in PHP. That is, whole forking/process management etc > stuff. And I would like to set it up like this: > - it has a SSL listening socket > - set CN_match for listening socket to '*.example.org' > - create listening socket with stream_socket_server > All above in order to accept connections only from clients which > present themselves with appropriate certificate (based on cacert check > which works OK) and appropriate CN. > > To illustrate the desired functionality: > - CNs host1.example.org and host2.example.org are OK, > - but not CN host3.otherdomain.org, even if it presents a certificate > from the same CA as the two above. > > > Was I clear enough now? :) > b. > > > > PS: I've just discovered another issue. In the context of creating > listening socket with stream_socket_create, again. > > If a preceeding SSL client has introduced itself with client > certificate, and the current client does not, the > [ssl][peer_certificate] of the new socket's context options still > contains a reference to a resource of preceeding client's certificate. > Later, subsequent client connections without certificate do not > exhibit the same behaviour. > If the pattern reoccurs (... ---> client-with-cert ---> followed by > client-without-cert), the story repeats. > > There is also a memory leak in this - when I looped the client to > establish hundreds of sequential SSL connections, the residental > memory footprint of php server process was ever increasing. When I > switched my App server to HTTP protocol and repeated the test the > memory leak was not present anymore. And I did openssl_x509_free() > call on peer_certificate resource upon client disconnect. > > > > > > On 21 February 2010 00:05, Pierre Joye <pierre....@gmail.com> wrote: >> hi, >> >> Is it not suppose to work already? As your patch basically does what >> is done earlier in the code if match fails. If there is a bug in this >> area, we should fix instead of adding the same thing later :) >> >> I will check this issue next week. >> >> Btw, there is no chance to get this in 5.2.13 or 5.3.2 at this stage, >> it is too late in the process. >> >> Thanks for your work! >> >> Cheers, >> >> On Sat, Feb 20, 2010 at 8:56 PM, Bostjan Skufca <bost...@a2o.si> wrote: >>> Hi! >>> >>> I've created a patch that enables PHP to do "limited wildcard >>> matching" if CN_match option in stream context is specified as >>> '*.example.org'. >>> Also I have filled a bug report for this, here: >>> http://bugs.php.net/bug.php?id=51100 >>> >>> Patch is here: >>> http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff >>> >>> It was made against 5.2.12 but I checked it with SVN: >>> - for 5.2 branch the offset is only +6 lines >>> - for trunk it is cca +800 lines >>> >>> Can you include it in 5.2.13 release and 5.3? I know the former is >>> already in RC stage but this does can't break anything I believe. >>> >>> Best regards, >>> b. >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> >> >> -- >> Pierre >> >> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org >> > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
