cURL / Mailing Lists / curl-library / Single Mail


Re: SSL certificates and increasing memory usage

From: Jerry Blakley <>
Date: Thu, 26 Sep 2013 10:58:12 -0700

Sorry to be so long resolving this. I applied the patch and did some
analysis. It turns out my original analysis was incorrect. As
multi_runsingle is called on a new connection, one of the calls is made
with easy->state equal to CURLM_STATE_WAITCONNECT. This sets off the chain
of calls which leads to cert_stuff. If the call is on a reused connection,
this path is not taken. So the memory leak I am seeing is not related to
reused connections reallocating certificates. So it must simply be related
to allocations of certificates on new connections.
The chain of calls in the pprof output includes PK11_CreateGenericObject
and PK11_DestroyTokenObject (we're in the nss library at this point --
should I move this discussion somewhere else?). I'm guessing either more
objects are being created than destroyed, or objects are being created in
parts and not all parts destroyed. I wasn't able to tell if some of the
work you pointed me to with the links address this issue particularly. I
downloaded nss-3.15.1-stripped.tar.bz2 from koji and used as a
reference for debugging, but didn't make much headway.
I'm uncertain what to do at this point. Any help appreciated.

On Tue, Aug 20, 2013 at 11:49 AM, Jerry Blakley <>wrote:

> Thanks Daniel for the patch for cert_stuff. It seems like the proper
> solution. I'll look into taking that direction.
> Also, thanks Kamil for the references. I'll need to look there more
> carefully. It does seem that the issue boils down to allocations
> in pem_CreateObject, and the references to finalize look promising.
> I continue to gather more metrics to get a better handle. We expect our
> fusedav instance to need about 70M of memory and by running a continual
> series of tests overnight can see that extend to 150M, so that's the size
> of the problem we are investigating.
> Thanks again.
> Jerry
> On Tue, Aug 20, 2013 at 1:52 AM, Kamil Dudka <> wrote:
>> On Tuesday 20 August 2013 10:39:02 Daniel Stenberg wrote:
>> > On Mon, 19 Aug 2013, Jerry Blakley wrote:
>> > > What seems to be happening is that while the session is open and the
>> > > connection reused, we make the repeated allocations in
>> nss_create_object,
>> > > increasing memory usage, until the session ends and curl_easy_cleanup
>> is
>> > > called.
>> > >
>> > > Is this the case, and should it be so? Or is there/should there be
>> some
>> > > intermediary cleanup routine, or an ability to reuse the certificate
>> > > information without the reallocation?
>> >
>> > Hi,
>> >
>> > I'm not an NSS expert but it looks to me like there's no need to reload
>> the
>> > cert/key when the connection is re-used (as it is only re-used when the
>> > same cert/key is set). What about a patch like the attached?
>> Thanks for the patch! I see cert_stuff() is called only when doing a SSL
>> handshake. Can it actually happen that a new handshake is initiated on a
>> reused connection?
>> Kamil
>> -------------------------------------------------------------------
>> List admin:
>> Etiquette:

List admin:
Received on 2013-09-26