Cisco Bug: CSCvv59676 - Snort2: Implement aggressive pruning for certificate cache for TLS to free up memory
Sep 21, 2020
- Sourcefire Defense Center
Known Affected Releases
Symptom: Slightly higher memory use in snort, but this is unlikely to be noticeable to end users in terms of symptoms. This is just an enhancement to improve the pruning for this cache, which will improve the system performance in terms of memory use. Conditions: This bug is applicable only to 6.6,x or earlier releases, In 6.7 TLS memory usage is consolidated for all snort memory and accounting for all certs with LMDB. We should not see this in >= 6.7 releases. Caching the SSL Certs is mandatory in the system for performance reasons and quick lookup instead of doing full TLS handshake each time, however whenever pruning is done : we need to do bit more aggressive pruning on the cert cache and resigned cert cache so that memory can be released. Currently we release 2-10 certs from cache. This can help alleviate small amount TLS cache memory issues. but we should NOT prune too much either otherwise perf impact can happen.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases