Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-54232

SSL_add_{file,dir}_cert_subjects_to_stack are slow

XMLWordPrintable

    • openssl-3.2.2-10.el10
    • No
    • Moderate
    • Patch
    • 5cec58bdfffeff89cce3cfc64e8e2cb709a8fa8e
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 31
    • 0.2
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • Crypto24Q3
    • Release Note Not Required
    • All
    • None

      What were you trying to do that didn't work?

      Use SSL_add_file_cert_subjects_to_stack or SSL_add_dir_cert_subjects_to_stack with a large number of certificates.

      Backport https://github.com/openssl/openssl/commit/5cec58bdfffeff89cce3cfc64e8e2cb709a8fa8e to address this.

      Please provide the package NVR for which bug is seen:

      openssl-3.2.2-9.el10

      How reproducible:

      Run the attached reproducer with 1000 or more certificates with different subjects.

      Steps to reproduce

      1. openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key
      2. mkdir -p dir-1000
      3. for num in $(seq 0 1000); do openssl req x509 -key server.key -days 365 -subj "$(printf '/CN=host%05d' $num)" -out "$(printf 'certs/%05d.crt' $num)"; done
      4. gcc -O3 -fno-omit-frame-pointer -ggdb -o bench bench.c -lssl -lcrypto
      5. ./bench 10 dir-1000

      See also /CoreOS/tests/stunnel/Regression/RHEL-52321-CAfile-processing-is-slow.

      Expected results

      Finishes in under 2 seconds

      Actual results

      Finishes in ~6 seconds

        1. bench.c
          0.7 kB

              dbelyavs@redhat.com Dmitry Belyavskiy
              cllang@redhat.com Clemens Lang
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: