%3CLINGO-SUB%20id%3D%22lingo-sub-1609409%22%20slang%3D%22en-US%22%3EKnown%20issue%3A%20Azure%20Sphere%20memory%20leak%20when%20using%20TLS%20with%20libcurl%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609409%22%20slang%3D%22en-US%22%3E%3CP%3EThe%2020.07%20and%2020.08%20Update%201%20versions%20of%20the%20Azure%20Sphere%20OS%20contain%20a%20bug%20that%20results%20in%20a%20memory%20leak%20for%20applications%20that%20use%20HTTPS%20connections%20via%20libcurl.%26nbsp%3B%20This%20leak%20does%20not%20occur%20for%20HTTP%20(non-HTTPS)%20connections%2C%20Azure%20IoT%20C%20SDK%20connections%2C%20nor%20MQTT%20connections.%20Additionally%2C%20this%20leak%20does%20not%20occur%20when%20using%20the%20wolfSSL%20API%20directly%20to%20create%20a%20connection%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20amount%20of%20data%20leaked%20is%20variable%2C%20depending%20on%20how%20the%20cURL%20handle%20is%20configured.%20We%20expect%20that%20it%20will%20be%20approximately%20tens%20of%20bytes%20leaked%20per%20HTTPS%20transaction.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%2020.09%20OS%20release%20will%20include%20a%20fix%20for%20this%20bug.%20In%20the%20meantime%2C%20you%20can%20mitigate%20the%20problem%20by%20implementing%20a%20workaround.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWorkaround%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20work%20around%20this%20bug%2C%20disable%20the%20CURLOPT_SSL_SESSIONID_CACHE%20option%20when%20you%20create%20cURL%20handles.%20To%20do%20so%2C%20set%20the%20following%20option%20%3CSTRONG%3E%3CEM%3Eafter%20%3C%2FEM%3E%3C%2FSTRONG%3EcURL%20handle%20creation%20and%20%3CSTRONG%3E%3CEM%3Eonce%20%3C%2FEM%3E%3C%2FSTRONG%3Efor%20%3CSTRONG%3E%3CEM%3Eeach%20%3C%2FEM%3E%3C%2FSTRONG%3Ehandle%3A%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%3CEM%3E%26nbsp%3Bcurl_easy_setopt(curlHandle%2C%20CURLOPT_SSL_SESSIONID_CACHE%2C%200)%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20details%20on%20how%20to%20do%20this%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fcurl.haxx.se%2Flibcurl%2Fc%2FCURLOPT_SSL_SESSIONID_CACHE.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECURLOPT_SSL_SESSIONID_CACHE%20explained%3C%2FA%3E%20in%20the%20cURL%20documentation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20workaround%20will%20continue%20to%20work%20with%20the%2020.09%20release%2C%20but%20you%20may%20prefer%20to%20revert%20the%20workaround%20so%20that%20you%20can%20enable%20SSL%20session%20ID%20caching.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20fix%20for%20this%20will%20be%20part%20of%20the%2020.09%20release%2C%20and%20the%20fix%20will%20take%20effect%20whether%20the%20OS%20is%20delivered%20as%20an%20OTA%20update%20or%20via%20recovery.%26nbsp%3B%20After%20the%20device%20has%20updated%20to%2020.09%2C%20you%20can%20either%20revert%20applications%20that%20use%20the%20workaround%20to%20enable%20SSL%20session%20ID%20caching%2C%20or%20you%20can%20leave%20it%20disabled.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1609409%22%20slang%3D%22en-US%22%3E%3CP%3EThe%2020.07%20and%2020.08%20Update%201%20versions%20of%20the%20Azure%20Sphere%20OS%20contain%20a%20bug%20that%20affects%20applications%20that%20use%20HTTPS%20connections%20via%20libcurl.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1609409%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sphere%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eazure%20sphere%20updates%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

The 20.07 and 20.08 Update 1 versions of the Azure Sphere OS contain a bug that results in a memory leak for applications that use HTTPS connections via libcurl.  This leak does not occur for HTTP (non-HTTPS) connections, Azure IoT C SDK connections, nor MQTT connections. Additionally, this leak does not occur when using the wolfSSL API directly to create a connection

 

The amount of data leaked is variable, depending on how the cURL handle is configured. We expect that it will be approximately tens of bytes leaked per HTTPS transaction. 

 

The 20.09 OS release will include a fix for this bug. In the meantime, you can mitigate the problem by implementing a workaround. 

 

Workaround

 

To work around this bug, disable the CURLOPT_SSL_SESSIONID_CACHE option when you create cURL handles. To do so, set the following option after cURL handle creation and once for each handle:

 curl_easy_setopt(curlHandle, CURLOPT_SSL_SESSIONID_CACHE, 0);

 

For more details on how to do this, see CURLOPT_SSL_SESSIONID_CACHE explained in the cURL documentation.

 

This workaround will continue to work with the 20.09 release, but you may prefer to revert the workaround so that you can enable SSL session ID caching.

 

 

 

Solution

The fix for this will be part of the 20.09 release, and the fix will take effect whether the OS is delivered as an OTA update or via recovery.  After the device has updated to 20.09, you can either revert applications that use the workaround to enable SSL session ID caching, or you can leave it disabled.