[erlang-patches] Fix SSL ETS table element leak and error cleanup

Bernard Duggan <>
Tue Dec 10 05:44:47 CET 2013

Hi list,
The SSL library maintains an internal table of CA certificates
(ssl_otp_cacertificate_db). This is supposed to be cleaned up when the
last connection using a certificate closes, however there's two problems
in R16B02 (and in the current master branch on github):

* When CA certificates are provided as binary blobs, rather than by
filename (ie, #ssl_options.cacerts is set, but #ssl_options.cacertfile
is not) the cleanup never occurs due to an incorrect pattern match in
tls_connection:handle_trusted_certs_db/1. This causes the table to grow
unchecked because each connection adds a new entry.

* When the process exits abnormally, tls_connection:terminate/1 is never
called because the trap_exit process flag is not set and so similarly
the table (and everything else cleaned in terminate/1, for that matter)
is not cleaned up. This doesn't affect "normal" termination caused by
the connection closing because terminate/1 is called explicitly from
handle_sync_event/4, rather that relying on gen_fsm's automatic calling.

Fixes for both are here:

git fetch git://github.com/bernardd/otp ssl_cert_cache_fix

Credit goes to my colleague Nick Marino for doing the initial legwork to
track this down.




This e-mail and any attachments are confidential. If it is not intended for you, please notify the sender, and please erase and ignore the contents.

More information about the erlang-patches mailing list