id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1234	"""proxy_ssl_trusted_certificate"" is loaded into memory many times when defined in ""http"" context."	zrice57@…		"When enabling `proxy_ssl_verify` we set the `proxy_ssl_trusted_certificate` to the default system bundle: `/etc/pki/tls/cert.pem`.

This cert bundle is about 250 Kilobytes. 

We have thousands of `server` blocks defined and all of them have a value for `proxy_ssl_name` defined because we use IP addresses to define upstream servers.

It seems that the cert bundle is loaded many thousands of times into memory (once for each upstream?).

Nginx typically uses ~2GB of memory, but enabling `proxy_ssl_verify` causes it to expand to 8GB (the system max) before being killed by the kernel. 

If the `proxy_ssl_trusted_certificate` is changed to a single cert, the memory consumed by nginx is seemingly normal again. 

"	enhancement	closed	minor		other	1.10.x	fixed	Memory Proxy_SSL		Linux REDACTED_HOSTNAME 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-threads --with-ipv6 --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'"