[pve-devel] [PATCH cluster] Free certificate file after reading it

Stoiko Ivanov s.ivanov at proxmox.com
Mon Jul 23 14:59:24 CEST 2018


Fix #1843

Reading https://$host:8006/nodes repeadedly leads to pveproxy keeping a
filedescriptor open for each node-certificate in the cluster and each request,
thus eventually reaching its NOFile limit.

In accordance with the SSLeay docs: https://metacpan.org/pod/Net::SSLeay

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
Would it make sense to unify the certificate reading here with the methods we
have in pve-common/src/PVE/Certificate.pm? It took me longer to find the bug,
since I was focussed on the missing BIO_free in a method there.

data/PVE/Cluster.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 7569abc..6dc41ce 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1537,6 +1537,7 @@ sub read_ssl_cert_fingerprint {
 	Net::SSLeay::BIO_free($bio);
 	die "unable to read certificate from '$cert_path'\n";
     }
+    Net::SSLeay::BIO_free($bio);
 
     my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
     Net::SSLeay::X509_free($cert);
-- 
2.11.0





More information about the pve-devel mailing list