[PATCH] minor leak in StartTLS
Martin Atkins
mart at degeneration.co.uk
Thu Mar 6 18:18:58 UTC 2008
Jacob Burkhart wrote:
> I didn't realize it was possible to have multiple VHosts. Is it
> possible to have multiple certs too?
>
> http://code.sixapart.com/trac/djabberd/browser/trunk/djabberd.conf
>
> The example config shows the certs being configred at the top level
> (outside the context of the VHost), so I assumed it was not possible to
> have more than one set of certs. I'll look into it more...
>
Actually, I think you're right. I misread the lines of code that
reference the cert settings:
Net::SSLeay::CTX_use_certificate_file(
$ctx,
$conn->vhost->server->ssl_cert_file,
&Net::SSLeay::FILETYPE_PEM
);
I didn't notice the ->server in there.
However, the same thing still applies: you could potentially have
several servers running in the same process too. The stock djabberd
script doesn't do this, but djabberd can be embedded in other stuff as
well. I'm not sure what the best solution is, though. Having the SSL
context in the server object would mean that the server core would
depend on Net::SSLeay, which is a bit of a layering violation.
It seems strange to me that the cert would be server-wide, since certs
normally have the domain name in them so you'd need a different cert for
each domain and thus each vhost. Maybe I'm just misunderstanding how all
this works, though.
Would you mind cooking up a patch that just calls CTX_free at an
appropriate moment to fix the memory leak? I'll try to get hold of Brad
(who wrote this SSL stuff) and see what he thinks the SSL context object
is supposed to "belong" to.
More information about the Djabberd
mailing list