对等体断开连接后未释放SSL内存
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了对等体断开连接后未释放SSL内存相关的知识,希望对你有一定的参考价值。
我正在使用非阻塞套接字开发一个简单的多线程HTTP / s服务器,以基于Linux Epoll处理HTTP请求。它创建4/8个线程(结构SSLWorker),每个线程都可以接受和处理连接,除了SSL_CTX(结构SSLContext)之外,连接之间没有共享数据。
随着每个新的连接,内存将增长,并且在断开连接后,内存将永远不会释放。我不知道原因。似乎它与SSL代码有关,因为使用HTTP请求时不会发生。
使用valgrind,heaptrack和泄漏清理程序无济于事,因为似乎内存仍然可以访问并且未检测到泄漏。如何清理Connection struct SSL和BIO数据的正确方法和顺序? (freeSsl())。关于我所缺少的任何帮助吗?
注意:-尝试使用Debian和自建的Openssl 1.1和1.1.1,它们的行为相同。-当客户端使用TLS 1.2时,内存增长更为明显-尝试禁用内部SSL SESSION缓存并设置SSL_MODE_RELEASE_BUFFERS。-从客户端开始断开连接。
struct SSLContext //Shared between worker threads
SSL_CTX *ssl_ctxnullptr;
SSLContext()
ERR_load_crypto_strings();
ERR_load_SSL_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
int r = SSL_library_init();
ssl_ctx = SSL_CTX_new(SSLv23_method());
int r = SSL_CTX_use_certificate_file(ssl_ctx, global::cert_file.c_str(),
SSL_FILETYPE_PEM);
r = SSL_CTX_use_PrivateKey_file(ssl_ctx, global::key_file.c_str(), SSL_FILETYPE_PEM);
r = SSL_CTX_check_private_key(ssl_ctx);
virtual ~SSLContext()
SSL_CTX_free(ssl_ctx);
ERR_free_strings();
;
struct Connection //Data associated to every connection
int sock_fd;
SSL *sslnullptr;
BIO *sbionullptr;// socket bio
BIO *ionullptr;// buffer bio
BIO *ssl_bionullptr;// ssl bio
~Connection() //free ssl objects
if (ssl != nullptr)
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
freeSsl();
if(sock_fd > 0) ::close(sock_fd);
void freeSsl() //free connection
//SSL_shutdown(ssl); it seems to be done by bellow free call.
//SSL_free(ssl); it seems to be done by bellow free call.
if(sbio != nullptr)
BIO_free(sbio);
sbio = nullptr;
if(io != nullptr)
BIO_flush(io);
BIO_free(io);
io = nullptr;
if(ssl_bio != nullptr)
BIO_flush(ssl_bio);
BIO_free(ssl_bio);
ssl_bio = nullptr;
ssl = nullptr;
bool enableReadEvent(); //enable socket read events, set EPOLLIN | EPOLLET
bool enableWriteEvent();//enable socket write event, set EPOLLOUT | EPOLLET
;
struct SSLConnectionManager //ssl operations hanldler.
static SSLContext ssl_context;
bool handleHandshake(Connection &ssl_connection) //Initialize connection and do hanshake
if(ssl_connection.ssl != nullptr) ssl_connection.freeSsl();
ssl_connection.ssl = SSL_new(ssl_context->ssl_ctx);
ssl_connection.sbio = BIO_new_socket(ssl_connection.sock_fd, BIO_CLOSE);
SSL_set_bio(ssl_connection.ssl, ssl_connection.sbio, ssl_connection.sbio);
ssl_connection.io = BIO_new(BIO_f_buffer());
ssl_connection.ssl_bio = BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_connection.ssl_bio, ssl_connection.ssl, BIO_CLOSE);
BIO_push(ssl_connection.io, ssl_connection.ssl_bio);
SSL_set_accept_state(ssl_connection.ssl);
int r = SSL_do_handshake(ssl_connection.ssl);
if (r == 1)
ssl_connection.ssl_connected = true;
ssl_connection.enableReadEvent();
return true;
int err = SSL_get_error(ssl_connection.ssl, r);
if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ)
ssl_connection.enableReadEvent();
return true;
//"SSL_do_handshake error, abort connection
return false;
IO::IO_RESULT SSLConnectionManager::handleRead(Connection &ssl_connection)
if (!ssl_connection.ssl_connected)
return IO::IO_RESULT::SSL_NEED_HANDSHAKE;
int rc = -1;
int bytes_read = 0;
for (;;)
rc = BIO_read(ssl_connection.io,
ssl_connection.buffer + ssl_connection.buffer_size,
static_cast<int>(MAX_DATA_SIZE - ssl_connection.buffer_size));
if (rc == 0)
return bytes_read > 0 ? IO::IO_RESULT::SUCCESS : IO::IO_RESULT::ZERO_DATA_READ;
else if (rc < 0)
if (BIO_should_retry(ssl_connection.io))
return IO::IO_RESULT::DONE_TRY_AGAIN;
return IO::IO_RESULT::ERROR;
bytes_read += rc;
ssl_connection.buffer_size += static_cast<size_t>(rc);
return IO::IO_RESULT::SUCCESS;
IO::IO_RESULT SSLConnectionManager::handleWrite(Connection &ssl_connection,
const char *data, size_t data_size, size_t &written)
if (!ssl_connection.ssl_connected)
return IO::IO_RESULT::SSL_NEED_HANDSHAKE; // after we call handleHanshake
IO::IO_RESULT result;
int rc = -1;
written = 0;
for (;;)
rc = BIO_write(ssl_connection.io, data + written, static_cast<int>(data_size - written));
if (rc == 0)
result = IO::IO_RESULT::DONE_TRY_AGAIN;
break;
else if (rc < 0)
if (BIO_should_retry(ssl_connection.io))
result = IO::IO_RESULT::DONE_TRY_AGAIN;
break;
else
return IO::IO_RESULT::ERROR;
else
written += rc;
if ((data_size - written) == 0)
result = IO::IO_RESULT::SUCCESS;
break;
;
BIO_flush(ssl_connection.io);
return result;
;
struct SSLWorker : EpollManager //Thread worker task.
SSLConnectionManager ssl_connection_manager;
bool onConnectEvent(Connection &ssl_connection)
auto sock_fd = accept(...);
Connection * new_connection = new Connection(sock_fd);
addToEventManager(*new_connection, EV_READ);
void doWork()
is_running = true;
int res = 0;
epoll_event events[1024];
while (is_running)
res = ::epoll_wait(epoll_fd, events, 1024, -1);
if (res < 0)
return;
for (int i = 0; i < res; i++)
auto conn = static_cast<Connection *>(events[i].data.ptr);
if (events[i].events & (EPOLLHUP | EPOLLERR | EPOLLRDHUP))
delete conn; //remote closed connection, free all
else
if (events[i].events & EPOLLIN)
if (conn->fd == global::listen_fd)
onConnectEvent();
continue;
else
ssl_connection_manager.handleRead(*conn);
processRequest();
conn.enableWriteEvent();
if (events[i].events & EPOLLOUT)
ssl_connection_manager.handleWrite(*conn);
;
在简短执行后,您会在这里看到什么堆跟踪报告泄漏。
答案
为此找到任何解决方案?甚至我也遇到类似的问题
以上是关于对等体断开连接后未释放SSL内存的主要内容,如果未能解决你的问题,请参考以下文章
当应用程序进入后台时,实时多人 Google Play 游戏服务对等方断开连接
Poloniex 通过 Autobahn 推送 WAMP API,断开与对等 tcp 的连接