hi,

can you run it through valgrind and paste the output in a new bug report please?

Cheers,

On Sun, Feb 21, 2010 at 2:47 AM, Bostjan Skufca <bost...@a2o.si> wrote:
> a) If you would like to see an example of memory leak, here is how I
> reproduce it.
>
> 1. Clone this git repository:
> http://github.com/bostjan/PHP-application-server
>
> 2. Copy/move/Symlink contents to /opt/daemons/AppSrv
>
> 3. cd to /opt/daemons/AppSrv/demos/demo_https
>
> 4. start the daemon: ./demo -d5
> - binds and listens on port 30000
> - does not fork into background
> 7. execute ./client_openssl_nocert
>
> 5. with another shell go to: /opt/daemons/AppSrv/demos/demo_https
>
> 6. execute this: while (true); do ./client_curl; done
>
> 7. start another shell and watch increasing residental memory of PHP
> server process
>
>
>
> b) If you would like to see an example of stale openssl_x509 resource
> bug, here is how I reproduce it.
> Follow the steps 1-5 above
>
> 6. execute ./client_openssl
> - make some input, double return
> - watch at server console how correct CN appears two times
>
> 7. execute ./client_openssl_nocert
> - watch at server console how STALE CN from previous connection appears
>
> 8. execute ./client_openssl_nocert
> - and the bug is gone to hiding
>
> 9. If you repeat steps 6-8 bug reappears/redissapears.
>
>
>
> I hope this helps,
> b.
>
>
>
> On 21 February 2010 01:45, Bostjan Skufca <bost...@a2o.si> wrote:
>> The patch includes code which is very similar but it's functionality
>> goes just the other way around.
>>
>> The original code takes remote CN and if that contains asterisk, it
>> tries to 'limited-wildcard-match' of CN_match against remote CN
>> (remote CN is the pattern in this case, if you will).
>>
>> On the other hand, added code checks if CN_match contains asterisk and
>> if so, it does 'limited-wildcard-match' of REMOTE CN against CN_match
>> pattern.
>>
>>
>> The original version 'could' be enough if you are only considering PHP
>> as a SSL client.
>>
>>
>> Now, what I am trying to achieve is a whole standalone application
>> server written in PHP. That is, whole forking/process management etc
>> stuff. And I would like to set it up like this:
>> - it has a SSL listening socket
>> - set CN_match for listening socket to '*.example.org'
>> - create listening socket with stream_socket_server
>> All above in order to accept connections only from clients which
>> present themselves with appropriate certificate (based on cacert check
>> which works OK) and appropriate CN.
>>
>> To illustrate the desired functionality:
>> - CNs host1.example.org and host2.example.org are OK,
>> - but not CN host3.otherdomain.org, even if it presents a certificate
>> from the same CA as the two above.
>>
>>
>> Was I clear enough now? :)
>> b.
>>
>>
>>
>> PS: I've just discovered another issue. In the context of creating
>> listening socket with stream_socket_create, again.
>>
>> If a preceeding SSL client has introduced itself with client
>> certificate, and the current client does not, the
>> [ssl][peer_certificate] of the new socket's context options still
>> contains a reference to a resource of preceeding client's certificate.
>> Later, subsequent client connections without certificate do not
>> exhibit the same behaviour.
>> If the pattern reoccurs (... ---> client-with-cert  ---> followed by
>> client-without-cert), the story repeats.
>>
>> There is also a memory leak in this - when I looped the client to
>> establish hundreds of sequential SSL connections, the residental
>> memory footprint of php server process was ever increasing. When I
>> switched my App server to HTTP protocol and repeated the test the
>> memory leak was not present anymore. And I did openssl_x509_free()
>> call on peer_certificate resource upon client disconnect.
>>
>>
>>
>>
>>
>> On 21 February 2010 00:05, Pierre Joye <pierre....@gmail.com> wrote:
>>> hi,
>>>
>>> Is it not suppose to work already? As your patch basically does what
>>> is done earlier in the code if match fails. If there is a bug in this
>>> area, we should fix instead of adding the same thing later :)
>>>
>>> I will check this issue next week.
>>>
>>> Btw, there is no chance to get this in 5.2.13 or 5.3.2 at this stage,
>>> it is too late in the process.
>>>
>>> Thanks for your work!
>>>
>>> Cheers,
>>>
>>> On Sat, Feb 20, 2010 at 8:56 PM, Bostjan Skufca <bost...@a2o.si> wrote:
>>>> Hi!
>>>>
>>>> I've created a patch that enables PHP to do "limited wildcard
>>>> matching" if CN_match option in stream context is specified as
>>>> '*.example.org'.
>>>> Also I have filled a bug report for this, here:
>>>> http://bugs.php.net/bug.php?id=51100
>>>>
>>>> Patch is here:
>>>> http://source.a2o.si/php/php-ext-openssl-CN_match-wildcard.diff
>>>>
>>>> It was made against 5.2.12 but I checked it with SVN:
>>>> - for 5.2 branch the offset is only +6 lines
>>>> - for trunk it is cca +800 lines
>>>>
>>>> Can you include it in 5.2.13 release and 5.3? I know the former is
>>>> already in RC stage but this does can't break anything I believe.
>>>>
>>>> Best regards,
>>>> b.
>>>>
>>>> --
>>>> PHP Internals - PHP Runtime Development Mailing List
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Pierre
>>>
>>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>>>
>>
>



-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to