Description of problem:
tlsm_auth_cert_handler calls SSL_PeerCertificate to get the peer's cert from the socket. This cert must be freed with CERT_DestroyCertificate.
You can see this problem using valgrind with ldapsearch -ZZ. You will see memory leaks like this:
==23056== 48 bytes in 1 blocks are possibly lost in loss record 45 of 110
==23056== at 0x4A04A28: calloc (vg_replace_malloc.c:467)
==23056== by 0x30AF675479: nss_ZAlloc (arena.c:892)
==23056== by 0x30AE601A8E: PL_HashTableRawAdd (plhash.c:265)
==23056== by 0x30AF676C53: nssHash_Add (hash.c:259)
==23056== by 0x30AF66C7C7: nssCertificateStore_FindOrAdd (pkistore.c:192)
==23056== by 0x30AF6691B1: NSSCryptoContext_FindOrImportCertificate (cryptocontext.c:146)
==23056== by 0x30AF664A17: CERT_NewTempCertificate (stanpcertdb.c:456)
==23056== by 0x30B0212ED3: ssl3_HandleHandshakeMessage (ssl3con.c:7850)
==23056== by 0x30B0213E2F: ssl3_HandleRecord (ssl3con.c:8727)
==23056== by 0x30B02148CB: ssl3_GatherCompleteHandshake (ssl3gthr.c:209)
==23056== by 0x30B0217168: ssl_GatherRecord1stHandshake (sslcon.c:1258)
==23056== by 0x30B021CF14: ssl_Do1stHandshake (sslsecur.c:151)
==23056== by 0x30B021E67E: SSL_ForceHandshake (sslsecur.c:407)
==23056== by 0x30B32349E4: tlsm_session_accept_or_connect (tls_m.c:2350)
==23056== by 0x30B3233571: ldap_int_tls_connect (tls2.c:366)
==23056== by 0x30B32337DC: ldap_int_tls_start (tls2.c:833)
==23056== by 0x30B323394D: ldap_start_tls_s (tls2.c:939)
==23056== by 0x40B798: tool_conn_setup (common.c:1290)
==23056== by 0x4069A7: main (ldapsearch.c:900)
In other applications that use Mozilla NSS, you will see errors in NSS_Shutdown and NSS_Initialize - NSS_Shutdown will fail because the cert objects are cached, and the cache cannot be freed because there is still an outstanding reference.
Patch submitted upstream - http://www.openldap.org/its/index.cgi?findid=6980
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
- Any tool which uses both OpenLDAP and Mozilla NSS libraries. OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library.
- The tool can fail on NSS_Shutdown function call, because the client certificate is not freed and the caches cannot be destroyed.
- Peer certificate is freed in OpenLDAP library after certificate validation is finished.
- All caches can be freed and NSS_Shutdown succeeds.
Resolved in openldap-2.4.26-1.fc16
openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15.
openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15.
openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.