[Bug 62892] New: Memory leak when performing client certificate validation with OCSP

Wed, 07 Nov 2018 07:15:52 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62892

            Bug ID: 62892
           Summary: Memory leak when performing client certificate
                    validation with OCSP
           Product: Tomcat Native
           Version: 1.2.17
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Library
          Assignee: dev@tomcat.apache.org
          Reporter: sander.bensc...@42.nl
  Target Milestone: ---

Created attachment 36251
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36251&action=edit
Figures 1 & 2

We are using the Tomcat APR connector in our application to perform
client-certificate validation with OCSP checks. We've noticed a gradual
increase in the memory consumed by the Java process until the system runs out
of memory and the OOM-killer we configured kills and restarts the process.

The application we created is queried often (every second by two simultaneous
clients). We have tested this with two types of client certificates from two
different root CA's: PKIoverheid (the root certificate of the Dutch national
government) and Comodo certificates, both containing OCSP urls. We first
noticed the problem with the PKIoverheid certificates, which are larger in size
than the Comodo certificates. In figure 1, showing the available server memory,
you can see that using these larger PKIoverheid certificates the server runs
out of memory every 2,5 - 3 hours. Afterwards we tried the same thing with
smaller Comodo certificates (see figure 2) which has the same result but takes
a longer time (15 hours).

When we turned off the client certificate validation by either commenting out
the call to X509_verify_cert in OpenSSL (which in turn calls Tomcat Native's
SSL_callback_SSL_verify that performs the OCSP checks) or setting
SSLVerifyClient to "none" and clientAuth to "false" in the APR connector the
server did not run out of memory and the graph of available memory flatlines.

I have tested this with the Apache Native Library v1.2.17, Tomcat v9.0.12, APR
v1.5.2 and JDK v1.8.0_181 running on an Ubuntu 16.04.5 server. On the JBoss
jira I spotted a similar issue where somebody used different versions but had
the same problem: https://issues.jboss.org/browse/JWS-1140.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to