Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

>> Apart of this patch all seems to be working fine in the OCSP with
>> Cisco. Will be making more tests soon.

About sha2 support in Cisco IOS OCSP implementation I have contacted
Cisco TAC and opened bug id:
CSCtz40028

However for now it is a bug of low priority (sigh). If anyone reading
this list has active support contract with Cisco maybe we can push
together. I will get in contact with my Cisco AM to engage him into this
to raise priority.



Also attached is a patch for CRL autoreload in OCSP, it was not working
at all due to some typos in the configuration part.



More important... there are memory leaks in OCSP as Joachim Astel told.
I managed to reproduce the issue bombarding the OCSPd with OpenSSL OCSP
checks.

See RSS field:

  PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
13698 ?        SNl    0:45      0    44 790895 7104  0.1
/usr/sbin/ocspd -c /etc/ocspd/ocspd.xml -d -v


After some time bombarding:

  PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
13698 ?        SNl    9:57      0    44 790895 63072  1.5
/usr/sbin/ocspd -c /etc/ocspd/ocspd.xml -d -v


I have managed to run OCSPd through Valgrind in an Ubuntu VM and see a
lot of memory leaks. Attached is Valgrind log.

Not an expert, but I think this is the most important:

==20277== 323,796 (2,904 direct, 320,892 indirect) bytes in 121 blocks
are definitely lost in loss record 993 of 993
==20277==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==20277==    by 0x4E59CCC: PKI_Malloc (pki_mem.c:255)
==20277==    by 0x4E59626: PKI_MEM_new_null (pki_mem.c:17)
==20277==    by 0x4E5A331: PKI_MEM_new_bio (pki_mem.c:486)
==20277==    by 0x4E72B90: PKI_X509_put_mem_value (pki_x509_mem.c:310)
==20277==    by 0x4E72813: PKI_X509_put_mem (pki_x509_mem.c:216)
==20277==    by 0x4E7576A: PKI_X509_OCSP_REQ_put_mem (pki_ocsp_req_io.c:287)
==20277==    by 0x405E0C: ocspd_resp_send_socket (response.c:370)
==20277==    by 0x404D1E: thread_main (threads.c:107)
==20277==    by 0x50CEEFB: start_thread (pthread_create.c:304)
==20277==    by 0x577659C: clone (clone.S:112)

Regards