[CDRIVER-1555] SSL connections can leak sockets Created: 21/Sep/16  Updated: 19/Oct/16  Resolved: 23/Sep/16

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: 1.3.0, 1.4.1
Fix Version/s: 1.5.0

Type: Bug Priority: Major - P3
Reporter: John Becker Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 2007, Visual Studio 2010



 Description   

When an SSL-enabled mongoc_client_t attempts to communicate to a mongod listening on an unsecure socket it leaks one socket per request.

Calling mongoc_client_destroy to clean up the mongoc_client_t does not clean up the sockets. Exiting the applications is the only way to free the sockets.

Steps to reproduce:

  • Configure mongod to listen on an unsecure port.
  • Configure a mongoc application to communicate with mongod, attempting to use an SSL connection.
  • Run the application
  • Run 'netstat -b' to observe the increasing number of established socket connections that never close.


 Comments   
Comment by Githook User [ 23/Sep/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-1555: SSL connections can leak sockets
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/90fa9baafca556caa21b34d8b3de07a6816960ea

Comment by Hannes Magnusson [ 22/Sep/16 ]

Interesting, thanks!
I can reproduce this now

Comment by John Becker [ 22/Sep/16 ]

Yes, the example below produces a socket leak for each call to mongoc_client_get_server_status. The specific misconfiguration that triggers the leak is setting pem_file or ca_file to the empty string in the mongoc_ssl_opt_t structure.

#include "bson.h"
#include "mongoc.h"
#include "stdio.h"
 
int main( int argc, char *argv[] )
{
	mongoc_client_t *client;
	mongoc_ssl_opt_t ssl = {0};
	
	mongoc_init();
	
	// attempt to make a secure connection to an unsecured mongod
	client = mongoc_client_new("mongodb://localhost:27011/?ssl=true");
	
	// if either pem_file or ca_file are set to the empty string then
	// we will notice a socket leak on each connection attempt
	ssl.pem_file = "";
	ssl.ca_file = "";
	mongoc_client_set_ssl_opts(client, &ssl);
	
	while (1)
	{
		bson_t reply;
		bson_error_t error;
		mongoc_read_prefs_t *read_prefs = mongoc_read_prefs_new(MONGOC_READ_PRIMARY_PREFERRED);
		int success;
		
		success = mongoc_client_get_server_status(client, read_prefs, &reply, &error);
		if (!success)
		{
			fprintf(stdout, "Server status failure: %s\n", error.message);
		}
		
		bson_destroy(&reply);
		mongoc_read_prefs_destroy(read_prefs);
	}
	
	mongoc_client_destroy(client);
}

Comment by Hannes Magnusson [ 22/Sep/16 ]

I'm not able to reproduce this on Windows or Linux, be it when compiled against OpenSSL. Since you reported this against 1.3.0, I'm assuming you are compiling against OpenSSL, and not SChannel.

I tried to use our example-ping.c, adding a long Sleep() before the return and cleanups, and passing it "mongodb://server/?ssl=1" as argument.

As far as I can tell we successfully call mongoc_socket_close on the underlaying socket, which calls shutdown and closesocket.

Do you have an reproduce case where this is not the case?

Comment by A. Jesse Jiryu Davis [ 21/Sep/16 ]

Thanks for the report!

Generated at Wed Feb 07 21:12:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.