Package: haproxy / 1.5.8-3+deb8u2

from-upstream/0002-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
From 1d4f49cb26cf2e7a1ce153d961262c9df58e2bd8 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 13 Nov 2014 13:48:58 +0100
Subject: [PATCH 2/9] BUG/MEDIUM: ssl: force a full GC in case of memory
 shortage

When memory becomes scarce and openssl refuses to allocate a new SSL
session, it is worth freeing the pools and trying again instead of
rejecting all incoming SSL connection. This can happen when some
memory usage limits have been assigned to the haproxy process using
-m or with ulimit -m/-v.

This is mostly an enhancement of previous fix and is worth backporting
to 1.5.
(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)
---
 src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 620609f2f445..f50efe504a8e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn)
 	/* If it is in client mode initiate SSL session
 	   in connect state otherwise accept state */
 	if (objt_server(conn->target)) {
+		int may_retry = 1;
+
+	retry_connect:
 		/* Alloc a new SSL session ctx */
 		conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
 		if (!conn->xprt_ctx) {
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn)
 		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn)
 		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_connect;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn)
 		return 0;
 	}
 	else if (objt_listener(conn->target)) {
+		int may_retry = 1;
+
+	retry_accept:
 		/* Alloc a new SSL session ctx */
 		conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
 		if (!conn->xprt_ctx) {
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn)
 		if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn)
 		if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
 			SSL_free(conn->xprt_ctx);
 			conn->xprt_ctx = NULL;
+			if (may_retry--) {
+				pool_gc2();
+				goto retry_accept;
+			}
 			conn->err_code = CO_ER_SSL_NO_MEM;
 			return -1;
 		}
-- 
2.1.3