a13302691fc41d6ff9a561685f4af33ef2921d51
galt
  Wed May 24 14:32:19 2017 -0700
Problem discovered handle leak. Reported by Jonathan. We just need to close it ourselves at the end since we use BIO_noclose flag. This is good for future if we someday re-use a connection.

diff --git src/lib/https.c src/lib/https.c
index 5bf8b6a..fdfe924 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -87,31 +87,32 @@
 /* use a thread to run socket back to user */
 {
 /* child */
 
 struct netConnectHttpsParams *params = threadParam;
 
 pthread_detach(params->thread);  // this thread will never join back with it's progenitor
 
 int fd=0;
 char *proxyUrl = getenv("https_proxy");
 if (params->noProxy)
     proxyUrl = NULL;
 char *connectHost;
 int connectPort;
 
-BIO *sbio=NULL, *ssbio=NULL;
+BIO *fbio=NULL;  // file descriptor bio
+BIO *sbio=NULL;  // ssl bio
 SSL_CTX *ctx;
 SSL *ssl;
 
 openSslInit();
 
 ctx = SSL_CTX_new(SSLv23_client_method());
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
 
 /* TODO checking certificates 
 
@@ -177,43 +178,44 @@
     char *newUrl = NULL;
     boolean success = netSkipHttpHeaderLinesWithRedirect(fd, proxyUrl, &newUrl);
     if (!success) 
 	{
 	xerr("proxy server response failed");
 	goto cleanup;
 	}
     if (newUrl) /* no redirects */
 	{
 	xerr("proxy server response should not be a redirect");
 	goto cleanup;
 	}
     }
 
 
-sbio=BIO_new_socket(fd,BIO_NOCLOSE);
-if (sbio == NULL)
+fbio=BIO_new_socket(fd,BIO_NOCLOSE);  
+// BIO_NOCLOSE because we handle closing fd ourselves.
+if (fbio == NULL)
     {
     xerr("BIO_new_socket() failed");
     goto cleanup;
     }
-ssbio = BIO_new_ssl(ctx, 1);
-if (ssbio == NULL) 
+sbio = BIO_new_ssl(ctx, 1);
+if (sbio == NULL) 
     {
     xerr("BIO_new_ssl() failed");
     goto cleanup;
     }
-sbio = BIO_push(ssbio, sbio);
+sbio = BIO_push(sbio, fbio);
 BIO_get_ssl(sbio, &ssl);
 if(!ssl) 
     {
     xerr("Can't locate SSL pointer");
     goto cleanup;
     }
 
 
 /* 
 Server Name Indication (SNI)
 Required to complete tls ssl negotiation for systems which house multiple domains. (SNI)
 This is common when serving HTTPS requests with a wildcard certificate (*.domain.tld).
 This line will allow the ssl connection to send the hostname at tls negotiation time.
 It tells the remote server which hostname the client is connecting to.
 The hostname must not be an IP address.
@@ -435,30 +437,31 @@
 		     && (errno !=  32)) // udcCache often closes causing "Broken pipe"
 			xerrno("error writing https data back to user pipe");
 		    goto cleanup;
 		    }
 		bwt += bwtx;
 		}
 	    brd = 0;
 	    bwt = 0;
 	    }
 	}
     }
 
 cleanup:
 
 BIO_free_all(sbio);  // will free entire chain of bios
+close(fd);     // Needed because we use BIO_NOCLOSE above. Someday might want to re-use a connection.
 close(params->sv[1]);  /* we are done with it */
 
 return NULL;
 }
 
 int netConnectHttps(char *hostName, int port, boolean noProxy)
 /* Return socket for https connection with server or -1 if error. */
 {
 
 fflush(stdin);
 fflush(stdout);
 fflush(stderr);
 
 struct netConnectHttpsParams *params;
 AllocVar(params);