[stunnel-users] Possible memory leak with stunnel reload

• Next message (by thread): [stunnel-users] Possible memory leak with stunnel reload
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all, we have noticed that when reloading (note reloading not restarting)
stunnel it appears to be leaking
between 12 and 32 bytes of memory (ish) per reload. There does not need to
be any traffic passing through it at the time to view this problem. If its
reloaded enough times the system will eventually run out of memory. Unless
an stunnel restart if performed inbetween.

We are running 5.41 tried with the latest 5.44 and have the same result.
We are using openssl 1.0.2j-fips ive tried with 1.0.2n and 1.1.0e (to try
and rule out openssl)

We are reloading by running: kill -s HUP <pid>

The stunnel configuration is -

pid = /var/run/stunnel/stunnel.pid
debug = 7
syslog = no
output = /var/log/stunnel.log
socket = a:IP_FREEBIND=yes
fips = no
sslVersion = all
[VIP_Name]
    cert = /etc/loadbalancer.org/certs/server.pem
    ciphers =
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES
    accept = 192.168.80.16:443
    connect = 127.0.0.5:80
    delay = yes
    options = NO_SSLv3
    options = NO_TLSv1
    options = DONT_INSERT_EMPTY_FRAGMENTS
    renegotiation = no
    local = 192.168.80.16
    TIMEOUTclose = 0

The stunnel log file is as follows -
2018.04.03 11:09:59 LOG7[ui]: Clients allowed=62937
2018.04.03 11:09:59 LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
2018.04.03 11:09:59 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j-fips  26
Sep 2016
2018.04.03 11:09:59 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.04.03 11:09:59 LOG7[ui]: errno: (*__errno_location ())
2018.04.03 11:09:59 LOG5[ui]: Reading configuration from file
/etc/stunnel/stunnel.conf
2018.04.03 11:09:59 LOG5[ui]: UTF-8 byte order mark not detected
2018.04.03 11:09:59 LOG5[ui]: FIPS mode disabled
2018.04.03 11:09:59 LOG7[ui]: Compression disabled
2018.04.03 11:09:59 LOG7[ui]: Snagged 64 random bytes from /dev/urandom
2018.04.03 11:09:59 LOG7[ui]: PRNG seeded successfully
2018.04.03 11:09:59 LOG6[ui]: Initializing service [VIP_Name]
2018.04.03 11:09:59 LOG7[ui]: Ciphers:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES
2018.04.03 11:09:59 LOG7[ui]: TLS options: 0x07004804 (+0x07004800,
-0x00000000)
2018.04.03 11:09:59 LOG6[ui]: Loading certificate from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:09:59 LOG6[ui]: Certificate loaded from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:09:59 LOG6[ui]: Loading private key from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:09:59 LOG6[ui]: Private key loaded from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:09:59 LOG7[ui]: Private key check succeeded
2018.04.03 11:09:59 LOG7[ui]: ECDH initialization
2018.04.03 11:09:59 LOG7[ui]: ECDH initialized with curve prime256v1
2018.04.03 11:09:59 LOG5[ui]: Configuration successful
2018.04.03 11:09:59 LOG7[ui]: Binding service [VIP_Name]
2018.04.03 11:09:59 LOG7[ui]: Listening file descriptor created (FD=6)
2018.04.03 11:09:59 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.04.03 11:09:59 LOG7[ui]: Option IP_FREEBIND set on accept socket
2018.04.03 11:09:59 LOG7[ui]: Service [VIP_Name] (FD=6) bound to
192.168.80.16:443
2018.04.03 11:09:59 LOG7[main]: Created pid file
/var/run/stunnel/stunnel.pid
2018.04.03 11:09:59 LOG7[cron]: Cron thread initialized
2018.04.03 11:10:59 LOG6[cron]: Executing cron jobs
2018.04.03 11:10:59 LOG6[cron]: Cron jobs completed in 0 seconds
2018.04.03 11:10:59 LOG7[cron]: Waiting 86400 seconds
2018.04.03 11:11:08 LOG7[main]: Found 1 ready file descriptor(s)
2018.04.03 11:11:08 LOG7[main]: FD=4 events=0x2001 revents=0x1
2018.04.03 11:11:08 LOG7[main]: FD=6 events=0x2001 revents=0x0
2018.04.03 11:11:08 LOG7[main]: Dispatching signals from the signal pipe
2018.04.03 11:11:08 LOG7[main]: Processing SIGNAL_RELOAD_CONFIG
2018.04.03 11:11:08 LOG5[main]: Reading configuration from file
/etc/stunnel/stunnel.conf
2018.04.03 11:11:08 LOG5[main]: UTF-8 byte order mark not detected
2018.04.03 11:11:08 LOG5[main]: FIPS mode disabled
2018.04.03 11:11:08 LOG7[main]: Compression disabled
2018.04.03 11:11:08 LOG7[main]: Snagged 64 random bytes from /dev/urandom
2018.04.03 11:11:08 LOG7[main]: PRNG seeded successfully
2018.04.03 11:11:08 LOG6[main]: Initializing service [VIP_Name]
2018.04.03 11:11:08 LOG7[main]: Ciphers:
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES
2018.04.03 11:11:08 LOG7[main]: TLS options: 0x07004804 (+0x07004800,
-0x00000000)
2018.04.03 11:11:08 LOG6[main]: Loading certificate from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:11:08 LOG6[main]: Certificate loaded from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:11:08 LOG6[main]: Loading private key from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:11:08 LOG6[main]: Private key loaded from file: /etc/
loadbalancer.org/certs/server.pem
2018.04.03 11:11:08 LOG7[main]: Private key check succeeded
2018.04.03 11:11:08 LOG7[main]: ECDH initialization
2018.04.03 11:11:08 LOG7[main]: ECDH initialized with curve prime256v1
2018.04.03 11:11:08 LOG5[main]: Configuration successful
2018.04.03 11:11:08 LOG7[main]: Unbinding service [VIP_Name]
2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] closed (FD=6)
2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] closed
2018.04.03 11:11:08 LOG7[main]: Binding service [VIP_Name]
2018.04.03 11:11:08 LOG7[main]: Listening file descriptor created (FD=6)
2018.04.03 11:11:08 LOG7[main]: Option SO_REUSEADDR set on accept socket
2018.04.03 11:11:08 LOG7[main]: Option IP_FREEBIND set on accept socket
2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] (FD=6) bound to
192.168.80.16:443
2018.04.03 11:11:08 LOG7[main]: Signal pipe is empty

Any help would be appreciated.

Thanks
-- 

Mark Brookes
Loadbalancer.org Ltd.
www.loadbalancer.org


+44 (0)330 380 1064
mark at loadbalancer.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180403/3318b1c7/attachment.html>

• Next message (by thread): [stunnel-users] Possible memory leak with stunnel reload
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]