OpenSSL SSL_CTX_set_default_verify_paths Slow

Jay Foster jayf0ster at roadrunner.com
Fri Sep 24 17:50:12 UTC 2021


While migrating some applications from OpenSSL 1.0.2 (and 1.1.1) to 
3.0.0, I have noticed that the SSL_CTX_set_default_verify_paths() 
function is much slower in 3.0.0.  In 1.0.0 it would take about 0.1 
seconds and in 3.0.0 it takes over 3 seconds.

strace indicates that the extra time is during the actual reading of the 
cert.pem file.

OpenSSL 1.0.2u:
1583  17:41:43.233288 getuid32()        = 0
1583  17:41:43.234439 geteuid32()       = 0
1583  17:41:43.235379 getgid32()        = 0
1583  17:41:43.236314 getegid32()       = 0
1583  17:41:43.237285 open("/usr/local/ssl/cert.pem", 
O_RDONLY|O_LARGEFILE) = 4
1583  17:41:43.238790 fstat64(4, {st_mode=S_IFREG|0666, st_size=79902, 
...}) = 0
1583  17:41:43.241239 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f38000
1583  17:41:43.242257 read(4, "# Version: 1.51\n-----BEGIN CERTI"..., 
4096) = 4096
1583  17:41:43.244713 read(4, "NXozS7Gas44XRrIsQxzgHVGzbjHjhMM5"..., 
4096) = 4096
1583  17:41:43.249735 read(4, "hT37ha88HQfqDjrw43bAuEbFrskLMmrz"..., 
4096) = 4096
1583  17:41:43.258402 read(4, "vT0Lwdd8KkMaOIG+YD/is\nI19wKTakyY"..., 
4096) = 4096
1583  17:41:43.266628 read(4, "QQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ"..., 
4096) = 4096
1583  17:41:43.272394 read(4, "hG5QbutC+5yqHLkP88Oe\nLe3hwcyV07e"..., 
4096) = 4096
1583  17:41:43.280053 read(4, "wA3ekEzeOEz4vMQGn+H\nLL729fdC4uW/"..., 
4096) = 4096
1583  17:41:43.286542 read(4, "M48vCR85mLK4b19p71XZQvk/iXttmkQ3"..., 
4096) = 4096
1583  17:41:43.291246 read(4, "HdWdAgMBAAGjQjBA\nMA8GA1UdEwEB/wQ"..., 
4096) = 4096
1583  17:41:43.297614 read(4, "Lpyo7RJlbmr2EkRT\ncDCVw5wrWCs9CHR"..., 
4096) = 4096
1583  17:41:43.303533 read(4, "9IVVO5EFdkKrqeKM+2x\nLXY2JtwE65/3"..., 
4096) = 4096
1583  17:41:43.310932 read(4, "F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n"..., 
4096) = 4096
1583  17:41:43.316617 read(4, "WRJ2p\nmj6q1WZmAT7qSeaiNbz69t2Vjp"..., 
4096) = 4096
1583  17:41:43.322393 read(4, "R5B3LjiKY0QP6x93SGVvdh2azrsw\n/FQ"..., 
4096) = 4096
1583  17:41:43.329364 read(4, "TE1MDYzMDAwMDAwMFoXDTI1MDYyOTIzN"..., 
4096) = 4096
1583  17:41:43.334562 read(4, "oXkJKtv3\nL7IezMdeatiDh6GX70k1Pnc"..., 
4096) = 4096
1583  17:41:43.341086 read(4, "CAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1e"..., 
4096) = 4096
1583  17:41:43.347563 read(4, "gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk"..., 
4096) = 4096
1583  17:41:43.352496 read(4, "wQFMAMB\nAf8wDgYDVR0PAQH/BAQDAgGG"..., 
4096) = 4096
1583  17:41:43.359379 read(4, "Mk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y"..., 
4096) = 2078
1583  17:41:43.363656 read(4, "", 4096) = 0
1583  17:41:43.364918 close(4)          = 0
1583  17:41:43.365884 munmap(0xb6f38000, 4096) = 0
1583  17:41:43.371532 getuid32()        = 0
1583  17:41:43.372463 geteuid32()       = 0
1583  17:41:43.373396 getgid32()        = 0
1583  17:41:43.374531 getegid32()       = 0
1583  17:41:43.375540 timer_delete(0x1) = 0

OpenSSL 3.0.0:
1580  17:19:03.601282 getuid32()        = 0
1580  17:19:03.602289 geteuid32()       = 0
1580  17:19:03.603231 getgid32()        = 0
1580  17:19:03.604166 getegid32()       = 0
1580  17:19:03.605141 open("/usr/lib/ssl-3/cert.pem", 
O_RDONLY|O_LARGEFILE) = 4
1580  17:19:03.606731 fstat64(4, {st_mode=S_IFREG|0666, st_size=79902, 
...}) = 0
1580  17:19:03.609420 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6ff1000
1580  17:19:03.610449 read(4, "# Version: 1.51\n-----BEGIN CERTI"..., 
4096) = 4096
1580  17:19:03.612808 read(4, "NXozS7Gas44XRrIsQxzgHVGzbjHjhMM5"..., 
4096) = 4096
1580  17:19:03.713691 read(4, "hT37ha88HQfqDjrw43bAuEbFrskLMmrz"..., 
4096) = 4096
1580  17:19:03.906236 read(4, "vT0Lwdd8KkMaOIG+YD/is\nI19wKTakyY"..., 
4096) = 4096
1580  17:19:04.098848 read(4, "QQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ"..., 
4096) = 4096
1580  17:19:04.197974 read(4, "hG5QbutC+5yqHLkP88Oe\nLe3hwcyV07e"..., 
4096) = 4096
1580  17:19:04.344133 read(4, "wA3ekEzeOEz4vMQGn+H\nLL729fdC4uW/"..., 
4096) = 4096
1580  17:19:04.490050 read(4, "M48vCR85mLK4b19p71XZQvk/iXttmkQ3"..., 
4096) = 4096
1580  17:19:04.589137 read(4, "HdWdAgMBAAGjQjBA\nMA8GA1UdEwEB/wQ"..., 
4096) = 4096
1580  17:19:04.736698 read(4, "Lpyo7RJlbmr2EkRT\ncDCVw5wrWCs9CHR"..., 
4096) = 4096
1580  17:19:04.836338 read(4, "9IVVO5EFdkKrqeKM+2x\nLXY2JtwE65/3"..., 
4096) = 4096
1580  17:19:04.985568 read(4, "F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n"..., 
4096) = 4096
1580  17:19:05.087120 read(4, "WRJ2p\nmj6q1WZmAT7qSeaiNbz69t2Vjp"..., 
4096) = 4096
1580  17:19:05.189130 read(4, "R5B3LjiKY0QP6x93SGVvdh2azrsw\n/FQ"..., 
4096) = 4096
1580  17:19:05.343106 read(4, "TE1MDYzMDAwMDAwMFoXDTI1MDYyOTIzN"..., 
4096) = 4096
1580  17:19:05.441340 read(4, "oXkJKtv3\nL7IezMdeatiDh6GX70k1Pnc"..., 
4096) = 4096
1580  17:19:05.588597 read(4, "CAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1e"..., 
4096) = 4096
1580  17:19:05.736050 read(4, "gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk"..., 
4096) = 4096
1580  17:19:05.896427 read(4, "wQFMAMB\nAf8wDgYDVR0PAQH/BAQDAgGG"..., 
4096) = 4096
1580  17:19:06.277284 read(4, "Mk7BPZ7hm/ELNKjD+Jo2FR3qyH\nB5T0Y"..., 
4096) = 2078
1580  17:19:06.473966 read(4, "", 4096) = 0
1580  17:19:06.475169 close(4)          = 0
1580  17:19:06.476206 munmap(0xb6ff1000, 4096) = 0
1580  17:19:06.492602 getuid32()        = 0
1580  17:19:06.493604 geteuid32()       = 0
1580  17:19:06.494605 getgid32()        = 0
1580  17:19:06.495607 getegid32()       = 0
1580  17:19:06.496665 getuid32()        = 0
1580  17:19:06.497666 geteuid32()       = 0
1580  17:19:06.508460 getgid32()        = 0
1580  17:19:06.509462 getegid32()       = 0
1580  17:19:06.510544 timer_delete(0x1) = 0


Why so slow?

Jay


More information about the openssl-users mailing list