BUG/MINOR: mworker/ssl: close openssl FDs unconditionally
Patch 56996da ("BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload")
fixes a issue where the /dev/random FD was leaked by OpenSSL upon a
reload in master worker mode. Indeed the FD was not flagged with
CLOEXEC.
The fix was checking if ssl_used_frontend or ssl_used_backend were set
to close the FD. This is wrong, indeed the lua init code creates an SSL
server without increasing the backend value, so the deinit is never
done when you don't use SSL in your configuration.
To reproduce the problem you just need to build haproxy with openssl and
lua with an openssl which does not use the getrandom() syscall. No
openssl nor lua configuration are required for haproxy.
This patch must be backported as far as 1.8.
Fix issue #314.
(cherry picked from commit 5fdb5b36e1e0bef9b8a79c3550bd7a8751bac396)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/haproxy.c b/src/haproxy.c
index c93b0d1..fa3fbad 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -643,9 +643,8 @@
deinit_pollers();
}
#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
- if (global.ssl_used_frontend || global.ssl_used_backend)
- /* close random device FDs */
- RAND_keep_random_devices_open(0);
+ /* close random device FDs */
+ RAND_keep_random_devices_open(0);
#endif
/* restore the initial FD limits */