Do not leak fake SSL certificate context cache when reconfigure

changes port addresses.

We believe that deleting a cached LocalContextStorage object does not actually
affect connections that use the corresponding SSL_CTX and certificate because
any SSL object using those things increments their sharing counter and
deleting LocalContextStorage only decrements that counter. The [cached]
SSL_CTX object is not destroyed by SSL_CTX_free until that sharing counter
reaches zero.

diff --git a/src/ssl/context_storage.cc b/src/ssl/context_storage.cc
index f0cb0005a809b13c3df020b7306af701d1f1c0ea..a2e0bd78845ba9b86361e2ff04261d5681753db3 100644 (file)
--- a/src/ssl/context_storage.cc
+++ b/src/ssl/context_storage.cc
@@ -90,6 +90,7 @@ void Ssl::GlobalContextStorage::reconfigureFinish()
         for (std::map<Ip::Address, LocalContextStorage *>::iterator i = storage.begin(); i != storage.end(); ++i) {
             std::map<Ip::Address, size_t>::iterator conf_i = configureStorage.find(i->first);
             if (conf_i == configureStorage.end() || conf_i->second <= 0) {
+                delete i->second;
                 storage.erase(i);
             } else {
                 i->second->setMemLimit(conf_i->second);