Red Hat Bugzilla – Bug 862937
Memory leak in perl-libwhisker2 resp. Net::SSLeay
Last modified: 2014-02-05 07:26:33 EST
Created attachment 621208 [details]
Description of problem:
libwhisker2 resp. Net::SSLeay seems to demonstrate memory leak.
When nikto2 is using libwhisker together with Net::SSL everything seems to be fine, but when it is used together with Net::SSLeay, program depleats all system memory.
Version-Release number of selected component (if applicable):
90% (relies on the response speed of the server, delay in response = problem)
Steps to Reproduce:
1. Install libwhisker2 and Net::SSLeay and Net::SSL
yum -y install perl-libwhisker2 perl-Net-SSLeay perl-Crypt-SSLeay
2. run nikto from the nikto2 package against some HTTPS host with slow reply:
nikto host-to-scan.example.com -ssl -port 443
By default the Net::SSLeay will be used and will leak all available memory in a short while
It should not leak the memory. If Net::SSL is used instead (for example if Net::SSLeay package is removed) no memory leak is visible and nikto process keeps steadily on something like 30MB.
nikto-2.1.5 (and modified libwhisker)
nikto-2.1.5-3.fc17 (nikto patched to use system wide libwhisker2)
Please could you consider adding a patch from nikto2 to libwhisker with possibility to initialize suitabe SSL engine or at least prioritize Net::SSL over Net::SSLeay.
Current code prefers Net::SSLeay. Changing the preference is not wise for stable Fedora. I can add code selecting implementation, but not to change the default preference (though this could be done in F19).
What's purpose of "auto" argument for init_ssl_engine()?
The only difference between "auto" and unknown value is that the latter unsets SSL engine if no SSL engine can be found. I'm tempting to remove the "auto" completely.
I would guess that it is there just for consistency (I mean to have some argument).The init_ssl_engine("auto") is called by default in module initialization. I believe you can remove the "auto" value and call init_ssl_engine() instead.
The current "auto" tries Net::SSL first and then Net::SSLeay, which is quite opposit to what is in pristine 2.5 libwhisker. If you do not want to change the behaviour within one release of Fedora it should be turned around.
For nikto - just the posibility to choose the Net::SSL engine explicitly would be great, no matter what is the defaults.
For slow servers the memory leak in Net::SSLeay is really pretty annoying.
Created attachment 621841 [details]
Attaching testing code for client using libwhisker for HTTPS connection.
As a server you can use simply apache ( yum -y install httpd mod_ssl ; service httpd restart ).
After 2000 requests the process using Net::SSLeay grows as much as 1.5GB.
Comparing to cca 15-30MB with Net:SSL I do not think there is any reason to use Net::SSLeay until it is fixed.
Memory leak still problem for the Fedora 18.
But the issue is probably not so big - the testscript https_client_whisker.pl seems to be running quite ok on F18 so I guess it might be nikto this time leaking somewhere else.
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The patch does not apply to sources as the patch is against generated code. I tried to patch the sources, but due the way how the sources are built it's wery hard to do that cleanly (BEGIN sections). Frankly, I don't have time to implement it.
Please go to upstream.
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.