Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
haproxy.748
0005-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch of Package haproxy.748
From 5cf7c2cc0c0dd74ae7e49b359b56750baaed4e4f Mon Sep 17 00:00:00 2001 From: Willy Tarreau <w@1wt.eu> Date: Thu, 13 Nov 2014 13:48:58 +0100 Subject: [PATCH 05/13] BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5. (cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55) --- src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 620609f..f50efe5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn) /* If it is in client mode initiate SSL session in connect state otherwise accept state */ if (objt_server(conn->target)) { + int may_retry = 1; + + retry_connect: /* Alloc a new SSL session ctx */ conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx); if (!conn->xprt_ctx) { + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_app_data(conn->xprt_ctx, conn)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_connect; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn) return 0; } else if (objt_listener(conn->target)) { + int may_retry = 1; + + retry_accept: /* Alloc a new SSL session ctx */ conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx); if (!conn->xprt_ctx) { + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } @@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn) if (!SSL_set_app_data(conn->xprt_ctx, conn)) { SSL_free(conn->xprt_ctx); conn->xprt_ctx = NULL; + if (may_retry--) { + pool_gc2(); + goto retry_accept; + } conn->err_code = CO_ER_SSL_NO_MEM; return -1; } -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor