cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Correct refcount issues when using client certs in NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 3 Jun 2009 17:56:17 +0200

Hi Claes,

On Sunday 31 May 2009 16:24:03 Kamil Dudka wrote:
> On Sunday 31 of May 2009 15:43:30 Claes Jakobsson wrote:
> > I've attached a new patch against CVS that removes the client_cert
> > member from ssl_connect_data and all its uses. All tests pass as does
> > my script that uses smartcard certs. Could you test to see that it
> > doesn't break anything for you?
>
> it works for me. The memory leak is most likely the PEM reader issue. I am
> going to investigate it next week. Anyway the patch looks pretty sane to
> me.
>
> > The debug log was for the working variant. The reason it didn't close
> > the sessions was a bug in the perl bindings that I've fixed so that
> > curl is properly shutdown when exit - a patch for this has been sent
> > to Balint.
>
> Then it should be ok. I'll try it also with the NSS database. Thanks!

I've compiled libcurl without HAVE_PK11_CREATEGENERICOBJECT to exclude PEM
reader bugs. So it uses only the NSS database for certificates and it still
leaks memory with your patch. The only difference is that I use SSLv3
(meaning diffrent NSS code).

It seems like a NSS bug to me. I've spent some time debugging it, but without
any success yet. The certificate is duplicated two times within NSS - in the
ssl3_SendCertificate() function and in the ssl3_HandleFinished() function.
So the refCount became 3 and then it is never decreased to zero (but only 1).

Any ideas?

Kamil
Received on 2009-06-03