c950f48e7a
- [PATCH 1/6] BUILD: fix "make install" to support spaces in the - [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause - [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory - [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks - [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance - [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
104 lines
3 KiB
Diff
104 lines
3 KiB
Diff
From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001
|
|
From: Willy Tarreau <w@1wt.eu>
|
|
Date: Thu, 13 Nov 2014 13:48:58 +0100
|
|
Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory
|
|
shortage
|
|
|
|
When memory becomes scarce and openssl refuses to allocate a new SSL
|
|
session, it is worth freeing the pools and trying again instead of
|
|
rejecting all incoming SSL connection. This can happen when some
|
|
memory usage limits have been assigned to the haproxy process using
|
|
-m or with ulimit -m/-v.
|
|
|
|
This is mostly an enhancement of previous fix and is worth backporting
|
|
to 1.5.
|
|
(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)
|
|
---
|
|
src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++
|
|
1 file changed, 30 insertions(+)
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index 620609f..f50efe5 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn)
|
|
/* If it is in client mode initiate SSL session
|
|
in connect state otherwise accept state */
|
|
if (objt_server(conn->target)) {
|
|
+ int may_retry = 1;
|
|
+
|
|
+ retry_connect:
|
|
/* Alloc a new SSL session ctx */
|
|
conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
|
|
if (!conn->xprt_ctx) {
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_connect;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn)
|
|
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
|
|
SSL_free(conn->xprt_ctx);
|
|
conn->xprt_ctx = NULL;
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_connect;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn)
|
|
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
|
|
SSL_free(conn->xprt_ctx);
|
|
conn->xprt_ctx = NULL;
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_connect;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn)
|
|
return 0;
|
|
}
|
|
else if (objt_listener(conn->target)) {
|
|
+ int may_retry = 1;
|
|
+
|
|
+ retry_accept:
|
|
/* Alloc a new SSL session ctx */
|
|
conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
|
|
if (!conn->xprt_ctx) {
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_accept;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn)
|
|
if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
|
|
SSL_free(conn->xprt_ctx);
|
|
conn->xprt_ctx = NULL;
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_accept;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn)
|
|
if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
|
|
SSL_free(conn->xprt_ctx);
|
|
conn->xprt_ctx = NULL;
|
|
+ if (may_retry--) {
|
|
+ pool_gc2();
|
|
+ goto retry_accept;
|
|
+ }
|
|
conn->err_code = CO_ER_SSL_NO_MEM;
|
|
return -1;
|
|
}
|
|
--
|
|
2.0.4
|
|
|