Skip to content

[BUG] Dynamic certificate reload does not release old certificates, causing native memory leak with OpenSSL #10395

Description

@qianye1001

Problem

When TLS certificates are dynamically reloaded (e.g., via SslContext rebuild on certificate file change), the old SslContext / SSLSessionContext and associated native resources are not explicitly released.

In the OpenSSL (netty-tcnative / BoringSSL) provider, each SslContext allocates off-heap native memory for the certificate chain, private key, and session cache. If the previous SslContext is simply dereferenced without calling release() / close(), the native memory is not freed until GC finalizes the object — which may never happen under low heap pressure, leading to a steady native memory growth proportional to the number of certificate rotations.

Expected Behavior

When a new certificate is loaded and a new SslContext is created, the old SslContext should be explicitly released (reference-counted release for ReferenceCounted implementations) to free native memory immediately.

Suggested Fix

After replacing the SslContext reference, call ReferenceCountUtil.release(oldSslContext) (or oldSslContext.close() for JDK provider compatibility) to ensure native resources are reclaimed promptly.

Additionally, ensure any in-flight connections using the old context are drained or that the release is deferred until active channels using the old context are closed.

Environment

  • Affects: Broker / Proxy / NameServer with TLS enabled and certificate hot-reload
  • SSL Provider: OpenSSL (netty-tcnative)
  • Observed: Native memory (RSS) grows monotonically on each certificate rotation cycle

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions