Add SSL SNI certificates support: #25
Conversation
A new feature: this adds the ability to support multiple SSL certificates (for multiple domains) under a single IP address. If you provide "ssl_sni_dir", it will read the files inside it, expecting each file to contain both the key and certificate(s) for each time. This means it doesn't matter what the filenames are, as long as they contain both the key and certificate(s) inside them. Then it reads the certificates for the domain name (commonName) and the alternative ones (while removing duplicates) and sets up the proper structure for IO::Socket::SSL. This uses IO::Socket::SSL::Utils (loaded lazily without importing new subroutines), so it doesn't add any new dependencies. If you provide both ssl_cert_file/ssl_key_file and ssl_sni_dir, the latter will win silently. Something to consider: ignoring dotfiles in the directory.
|
Is there a memory leak here? Running this patch on Wheezy (which has perl 5.14.2) and libio-socket-ssl-perl 1.961. The patch works, but our memory usage is climbing by about 1Gb/day on each production server I have used this patch on. I should note that the libio-socket-ssl-perl version included in Wheezy is 1.76-2, which is evidently too old for this to work, and the latest version wasn't easily building on Wheezy so I ended up just building 1.76 myself. I didn't see the memory leak in other environments, presumably because there wasn't sufficient load/requests. However the memory usage graph of the app servers running Perlbal looks surprisingly linear. |
|
The code is so small, I can't off-hand see where a leak would be. I'm sorry to say I don't get to work much on Perlbal systems nowadays. I suggest Test::MemoryGrowth and Test::Memory::Cycle to debug such leaks. If you can provide me with a test showing the memory leak, I would be more than happy to revise the patch. Alternatively, you can get in touch with me and I might be able to help you debug and fix it. |
|
No worries. Thanks for the offer, but it looks like we're going to give HAProxy a shot, since we're already using it for other things and Perlbal unfortunately doesn't seem to be maintained these days. |
|
That is unfortunate but makes sense. :) |
|
Sorry folks :( HAP's SSL support is fairly good, for what it's worth. On Mon, 23 Nov 2015, Sawyer X wrote:
|
A new feature: this adds the ability to support multiple SSL
certificates (for multiple domains) under a single IP address.
If you provide "ssl_sni_dir", it will read the files inside it,
expecting each file to contain both the key and certificate(s)
for each time. This means it doesn't matter what the filenames are,
as long as they contain both the key and certificate(s) inside them.
Then it reads the certificates for the domain name (commonName)
and the alternative ones (while removing duplicates) and sets up
the proper structure for IO::Socket::SSL.
This uses IO::Socket::SSL::Utils (loaded lazily without importing
new subroutines), so it doesn't add any new dependencies.
If you provide both ssl_cert_file/ssl_key_file and ssl_sni_dir,
the latter will win silently.
Something to consider: ignoring dotfiles in the directory.