BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload

From OpenSSL 1.1.1, the default behaviour is to maintain open FDs to any random devices that get used by the random number library. As a result, those FDs leak when the master re-execs on reload; since those FDs are not marked FD_CLOEXEC or O_CLOEXEC, they also get inherited by children. Eventually both master and children run out of FDs. OpenSSL 1.1.1 introduces a new function to control whether the random devices are kept open. When clearing the keep-open flag, it also closes any currently open FDs, so it can be used to clean-up open FDs too. Therefore, a call to this function is made in mworker_reload prior to re-exec. The call is guarded by whether SSL is in use, because it will cause initialisation of the OpenSSL random number library if that has not already been done. This should be backported to 1.9 and 1.8.
2025-01-01 09:42:02 +00:00 · 2019-05-03 09:11:32 +01:00 · 2019-05-03 09:11:32 +01:00 · 56996dabe6
commit 56996dabe6
parent 5dfdd4a630
1 changed files with 6 additions and 0 deletions
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -127,6 +127,7 @@
 #include <proto/vars.h>
 #ifdef USE_OPENSSL
 #include <proto/ssl_sock.h>
+#include <openssl/rand.h>
 #endif

 /* array of init calls for older platforms */
@ -589,6 +590,11 @@ void mworker_reload()
 		ptdf->fct();
 	if (fdtab)
 		deinit_pollers();
+#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+	if (global.ssl_used_frontend || global.ssl_used_backend)
+		/* close random device FDs */
+		RAND_keep_random_devices_open(0);
+#endif

 	/* restore the initial FD limits */
 	limit.rlim_cur = rlim_fd_cur_at_boot;