kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 1c685cce90928ba9f3a676666137e6a8c709d971
parent 95819d2dc2710be9f77ebaa87233de9e2cb35885
Author: Joris Vink <joris@coders.se>
Date:   Fri, 11 Apr 2014 08:46:50 +0200

Comment on why/how we're disabling freelists.

OpenBSD was clever enough to throw these out so no need to
munge the freelist stuff there anymore.

Diffstat:
src/domain.c | 11+++++++++++
1 file changed, 11 insertions(+), 0 deletions(-)

diff --git a/src/domain.c b/src/domain.c @@ -114,7 +114,18 @@ kore_domain_sslstart(struct kore_domain *dom) SSL_CTX_set_session_id_context(dom->ssl_ctx, (unsigned char *)SSL_SESSION_ID, strlen(SSL_SESSION_ID)); + /* + * Force OpenSSL to not use its freelists. Even without using + * SSL_MODE_RELEASE_BUFFERS there are times it will use the + * freelists. So forcefully putting its max length to 0 is the + * only we choice we seem to have. + * + * Note that OpenBSD has since heartbleed removed freelists + * from its OpenSSL in base so we don't need to care about it. + */ +#if !defined(OpenBSD) || (OpenBSD < 201405) dom->ssl_ctx->freelist_max_len = 0; +#endif SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);