On 2023-09-25, Tobias Fiebig <[email protected]> wrote: > On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote: >> Either this, or the TLS 1.3 code was always buggy, but now >> it was actually used per default. > Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also > on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on > earlier versions. > > Still, the earlier versions i had been running seemed to support > tlsv1.3, at least according to s_client. But the use as default might > change things.
The www/nginx port has had working TLS 1.3 since 2020, I've been using it pretty much since that happened. It will be difficult to get reports from others about this on 7.3 because nginx was not updated to 1.24.0 in ports until after 7.3. FWIW I'm using 1.24.0 on -current from Jul 31st with no issues. I would try updating the problematic system to new -current (7.4-beta) with snapshot packages rather than self-built nginx. If that fixes it anyway then good. If not then we have a data point more likely to be reproducible by others, and maybe a chance of fixing before 7.4 is totally locked down. > pdns itself is not leaking, the memory is hogged by mariadb. But (given > everything runs via unix sockets) i am not using TLS in that stack at > all. This is was initially nudged me a bit towards other functions that > might be used from libressl (sha* or something used in auth maybe?). My reasonably busy traccar/mariadb 7.3 box has stable memory use from mariadb (sitting around 13G, with innodb_buffer_pool_size=12G). ... "memory leak" doesn't give much of an idea of what's going on, some data would be good. KB, MB, GB? per minute? hour? if you fire a bunch of requests at it, does that increase the rate or does it not matter? >> > > But yes, getting a specific commit there will be helpful. >> > Sadly it turns out that it is the commit i feared it would be: >> > >> > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f >> > > Author: Maxim Dounin <[email protected]> >> > > Date: Fri Mar 24 02:57:43 2023 +0300 >> > > >> > > SSL: enabled TLSv1.3 by default. >> > >> > Feared, because it basically puts me back to start w.r.t. what the >> > root >> > cause might be; Could be anything that happened to TLSv1.3 code in >> > either LibreSSL or Nginx. -- Please keep replies on the mailing list.
